CN115174101A - Method and system for generating disclainable ring signature based on SM2 algorithm - Google Patents
Method and system for generating disclainable ring signature based on SM2 algorithm Download PDFInfo
- Publication number
- CN115174101A CN115174101A CN202210719552.2A CN202210719552A CN115174101A CN 115174101 A CN115174101 A CN 115174101A CN 202210719552 A CN202210719552 A CN 202210719552A CN 115174101 A CN115174101 A CN 115174101A
- Authority
- CN
- China
- Prior art keywords
- signature
- prover
- user
- ring signature
- verifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000012795 verification Methods 0.000 claims description 18
- 238000012790 confirmation Methods 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3255—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a system for generating a disclainable ring signature based on an SM2 algorithm.A user can prove that the user is a signer of a signature or disclaims that the user is the signer of the signature to other third-party verifiers after a ring signature is generated. The invention has the advantages of high safety, perfect function and the like, and can provide the functions of affirming and denying the signature on the basis of ensuring the function of the conventional ring signature. Can be applied to a plurality of application fields such as digital currency, electronic voting and the like.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a method and a system for generating a disclainable ring signature based on an SM2 algorithm.
Background
Digital signature is an important cryptographic scheme, and a message digital signature is generated through certain cryptographic operation to replace a written signature or a seal. The digital signature is an important tool for realizing authentication, can verify the identity of a message sender to prevent the sender from repudiation and the message receiver from counterfeiting, and can also verify the integrity of the message to resist the counterfeiting attack of a third party. The method is mainly used for identifying the identity of a signer and the legality of information, and is a cryptographic technology which is most commonly used, mature in technology and strongest in operability in network communication, electronic commerce and electronic government affairs at present.
The ring signature scheme proposed by Rivest et al allows a signer to sign mail in an anonymous fashion. In a ring signature scheme, a signer who wants to sign a document anonymously first selects the public keys of some entities (signers) and then generates a signature, where one or more signers are assured to sign the document. However, in some cases, this scheme allows signers to offload responsibility from others.
The above problems can be solved by denying that the ring signature does not require the role of a group administrator in the group signature. After a ring signature is generated, the user can prove to other third party verifiers that it is the signer of the signature, or deny that it is the signer of the signature.
SM2 is an elliptic curve public key cryptography algorithm issued by the national cryptology authority in 12 months 2010 (see "SM 2 elliptic curve public key cryptography algorithm" specification). Digital signature, key exchange and data encryption can be realized based on the algorithm.
After a ring signature is generated, a user can prove that the ring signature is a signer of the signature to other third-party verifiers or deny that the ring signature is the signer of the signature.
Disclosure of Invention
The technical problem of the invention is mainly solved by the following technical scheme:
a repudiation ring signature generation method based on SM2 algorithm is characterized in that after a ring signature is generated, a user can prove to other third party verifiers that the user is a signer of the ring signature through an established proof confirmation protocol or a repudiation protocol, or repudiate that the user is the signer of the ring signature.
In the above method, a proof confirmation protocol is established at the time of proof, the proof confirmation protocol being generated by a prover P, i.e. a user A who generates a ring signature i And verifier V, who needs to prove that the ring signature was generated by him, specifically:
the verifier sends a, b to the prover; the prover verifies whether C = a · W + b · G is true, and if true, the next step is carried out; otherwise, quitting the verification;
the prover sends r to the verifier, who computes K = a · W + (b + r) · G,if yes, the signature is confirmed to be signed by the prover.
In the above method, when denied, a denial protocol is established, which is verified by the prover, i.e. user A who does not generate a ring signature j J ≠ i, with the verifier who needs to prove that the ring signature was not generated by it; let k be a value negotiated by two parties together, the prover has a probability deception verifier of 1/k, and the probability of deception is reduced by performing multiple rounds of denial protocols, specifically:
the prover finds that a satisfies equation d j ·C 1 -C 2 =a·(d j W-S); random prover selectionTransmission t = H 1 (a, r) to a verifier;
the verifier sends a, b to the prover; prover verification C 1 =a·W+b·G,C 2 =a·S+b·P j Whether the result is true or not, if yes, the next step is carried out; otherwise, quitting the verification;
the prover sends r to the verifier, who computes t = H 1 (a, r) if true, then the signature is deemed not signed by the prover;
in the above method, k is set to 1024, and the protocol is executed 2 times, so that the probability of spoofing is less than 2 -100 。
In the above method, the ring signature generation includes:
initializing a system: generating system parameters based on an elliptic curve equation;
and (3) key generation: generating a public and private key pair of a user based on system parameters;
signing: generating a repudiation ring signature value based on the generated system parameter, a private key of the user, and the message;
and (3) verification: the validity of the signature is verified based on the generated system parameters, the list of public keys, the message, and the signature value.
In the method and system, the safety parameter 1 is given at the beginning n And, furthermore,
selecting a finite fieldGenerating an elliptic Curve equation y 2 =x 3 + ax + b mod p, the points satisfying the equation forming an Abel group
In the above-described method, the key generation, the system parameter PP is given, and,
computing the public key P i =d i ·G;
Outputting public and private key pair (P) i ,d i )。
In the method, the system parameter PP and the user A are given when signing i Private key d of i A message m, and,
user A i Randomly selecting (n-1) public keys of users, and adding the public key P of the users i Form a list
Calculation of S = d i ·W;
For j = i +1,.., n, 1.,i-1, user A i Random selectionCalculating T j =s j ·G+(s j +c j )·P j ,Y j =s j ·W+(s j +c j ) S, calculating
Calculating s i =((1+d i ) -1 ·(k i -c i ·d i ))mod q;
Is outputted atThe above disclainable ring signature value σ = (t, S, c) on message m 1 ,s 1 ,s 2 ,...,s n )。
In the method, the system parameter PP and the public key list are given during verificationMessage m ', signature value σ ' = (t ', S ', c ' 1 ,s′ 1 ,s′ 2 ,...,s′ n ),
compute message digest W' = H 2 (m′||t′);
Calculating T 'for i =1,2,. And n, in turn' j =s′ j ·G+(s′ j +c′ j )·P j ,Y′ j =s′ j ·W′+(s′ j +c′ j ) S', calculating
Verify equation c' 1 =c′ n+1 Whether or not, if soIf yes, the sigma' is a legal signature; otherwise, the signature is invalid.
A system configured to enable a user to prove to other third party verifiers, via the system, that the user is a signer of a ring signature or to deny that the user is a signer of the ring signature after a ring signature has been generated.
Therefore, the invention has the following advantages: the ring of the invention provides 2 additional functions of confirmation and denial on the basis of the conventional ring signature, perfects the functionality of the ring signature under the condition of not introducing a trusted third party, and can be applied to the fields of digital currency, electronic voting and the like.
Drawings
FIG. 1 is a schematic diagram of the signature and verification algorithm of the present invention.
FIG. 2 is a schematic diagram of the validation algorithm of the present invention.
FIG. 3 is a schematic diagram of the denial algorithm of the present invention.
Detailed Description
The technical scheme of the invention is further specifically described by the following embodiments and the accompanying drawings.
The embodiment is as follows:
the parameters involved in the present invention are defined as follows:
the order is a group of elliptic curves of prime number q, the elements being points on the elliptic curves.
mod q: and (5) performing modulo q operation.
m: a message value.
σ: signature value
L |: bit string concatenation
A i : the ith user.
d i : user A i The private key of (2).
P i : user A i Of the public key of (c).
σ=(t,S,c 1 ,s 1 ,s 2 ,...,s n ): the ring signature value may be denied.
a, b: an intermediate variable.
The invention provides a denial ring signature scheme based on SM2 algorithm, and the specific scheme flow is as follows: the scheme comprises 6 stages: system initialization (Setup), key generation (KeyGen), signature (Sign), verification (Verify), confirmation (Confirm), and denial (disable).
1) Initializing a system: given a safety parameter 1 n The following steps are executed:
a) Selecting a finite fieldGenerating an elliptic Curve equation y 2 =x 3 + ax + b mod p, the points that satisfy the equation forming an Abelian group
2) And (3) generating a key: given the system parameters PP, a user A i The following steps are carried out:
b) Computing the public key P i =d i ·G.
c) Outputting public and private key pair (P) i ,d i ).
3) Signature: given system parameters PP and user A i Private key d of i Message m, user A i The following steps are carried out:
a) User A i Randomly selecting (n-1) public keys of users, and adding the public key P of the users i To form a list
c) Calculation of S = d i ·W.
e) For j = i +1 i Random selectionCalculating T j =s j ·G+(s j +c j )·P j ,Y j =s j ·W+(s j +c j ) S, calculating
f) Calculating s i =((1+d i ) -1 ·(k i -c i ·d i ))mod q.
g) Is output atThe non-repudiation ring signature value σ = (t, S, c) on the message m 1 ,s 1 ,s 2 ,...,s n ).
4) And (3) verification: given system parameters PP, public key listMessage m ', signature value σ ' = (t ', S ', c ' 1 ,s′ 1 ,s′ 2 ,...,s′ n ) The verifier performs the following steps:
b) Compute message digest W' = H 2 (m′||t′).
c) Calculating T 'for i =1,2,. And n, in turn' j =s′ j ·G+(s′ j +c′ j )·P j ,Y′ j =s′ j ·W′+(s′ j +c′ j ) S', calculating
d) Verify equation c' 1 =c′ n+1 If yes, the sigma' is a legal signature; otherwise, the signature is invalid.
5) And (3) confirmation: the confirmation protocol is defined by a prover (abbreviated as P, user A who generates a ring signature i ) And a verifier (abbreviated V) who needs to prove that the ring signature was generated by it.
b) P → V: random prover selectionCalculating K = a · W + (b + r) · G,and transmits (K, L) to the verifier.
c) V → P: the verifier sends a, b to the prover, the prover verifies whether C = a · W + b · G is true, and if true, the next step is carried out; otherwise, quitting the verification.
d) P → V: the prover sends r to the verifier, who computes K = a · W + (b + r) · G,if yes, the signature is confirmed to be signed by the prover.
6) Denying: denial of protocol by prover (user A who does not generate a ring signature) j Let k be a value negotiated between the two parties together, the prover has a probability of spoofing the verifier of 1/k, but we can reduce the probability of spoofing by doing a multi-round denial protocol -100 .
a) V → P: the verifier randomly selects a to be in [1, k ]],Calculating C 1 =a·W+b·G,C 2 =a·S+b·P j Sending C 1 ,C 2 And (4) giving a prover.
b) P → V: the prover finds that a satisfies equation d j ·C 1 -C 2 =a·(d j W-S) random selection by proverTransmission t = H 1 And (a, r) to the verifier.
c) V → P: verifier sends a, b prover verification C to prover 1 =a·W+b·G,C 2 =a·S+b·P j Whether the result is true or not, if so, carrying out the next step; otherwise, quitting the verification.
d) P → V: the prover sends r to the verifier, who computes t = H 1 And (a, r) if the signature is not signed by the prover, and if the signature is not signed by the prover.
The specific embodiments described herein are merely illustrative of the spirit of the invention. Various modifications or additions may be made to the described embodiments, or alternatives may be employed, by those skilled in the art, without departing from the spirit or ambit of the invention as defined in the appended claims.
Claims (10)
1. A repudiation ring signature generation method based on SM2 algorithm is characterized in that after a ring signature is generated, a user can prove to other third party verifiers that the user is a signer of the ring signature or deny that the user is the signer of the ring signature through an established proof confirmation protocol or a denial protocol.
2. The method of claim 1, wherein the generation of the disclaimer ring signature based on SM2 algorithm is characterized in that, when proving,establishing a proof-confirmation protocol, which is generated by the prover P, i.e. the user A who generated the ring signature i And verifier V, who needs to prove that the ring signature was generated by him, specifically:
the verifier randomly selects a and selects a to obtain a,calculating C = a · W + b · G, and sending C to the prover;
the verifier sends a, b to the prover; the prover verifies whether C = a · W + b · G is true, and if true, the next step is carried out; otherwise, quitting the verification;
3. A method for generating a non-repudiatable ring signature based on SM2 algorithm as claimed in claim 1, characterized in that when repudiating, a repudiation protocol is established, which is defined by the prover as user a who does not generate a ring signature j J ≠ i, and a verifier that needs to prove that the ring signature was not generated by it; let k be a value negotiated by two parties, the prover has a probability spoofing verifier of 1/k, and the probability of spoofing is reduced by performing multiple rounds of repudiation protocols, specifically:
the verifier randomly selects a to be in [1, k ]],Calculating C 1 =a·W+b·G,C 2 =a·S+b·P j Sending C 1 ,C 2 Giving a prover;
the prover finds that a satisfies equation d j ·C 1 -C 2 =a·(d j W-S); random prover selectionTransmission t = H 1 (a, r) to a verifier;
the verifier sends a, b to the prover; prover verification C 1 =a·W+b·G,C 2 =a·S+b·P j Whether the result is true or not, if yes, the next step is carried out; otherwise, quitting the verification;
the prover sends r to the verifier, who computes t = H 1 And (a, r) if the signature is not signed by the prover, and if the signature is not signed by the prover.
4. The SM2 algorithm-based non-repudiation ring signature generation method as claimed in claim 2, wherein k is set to 1024, and the protocol is executed 2 times so that the probability of spoofing is less than 2 -100 。
5. The method of claim 1, wherein the ring signature generation comprises:
initializing a system: generating system parameters based on an elliptic curve equation;
and (3) key generation: generating a public and private key pair of a user based on system parameters;
signing: generating a repudiation ring signature value based on the generated system parameter, a private key of the user, and the message;
and (3) verification: verifying the validity of the signature based on the generated system parameters, the public key list, the message, and the signature value.
6. The SM2 algorithm-based repudiation ring signature generator as claimed in claim 5Method, characterized in that, at system initialization, a safety parameter 1 is given n And, furthermore,
selecting a finite fieldGenerating an elliptic Curve equation y 2 =x 3 + ax + b mod p, the points satisfying the equation forming an Abel group
8. The SM2 algorithm-based repudiation ring signature generation method as claimed in claim 5, wherein system parameters PP and user A are given during signature i Private key d of i A message m, and,
user A i Randomly selecting (n-1) public keys of users, and adding the public key P of the users i To form a list
Calculation of S = d i ·W;
For j = i +1 i Random selectionCalculating T j =s j ·G+(s j +c j )·P j ,Y j =s j ·W+(s j +c j ) S, calculating
Calculating s i =((1+d i ) -1 ·(k i -c i ·d i ))mod q;
9. A method for generating a non-repudiation ring signature based on SM2 algorithm as claimed in claim 5, characterized in that the system parameters PP, the public key list are given during verificationMessage m ', signature value σ ' = (t ', S ', c ' 1 ,s′ 1 ,s′ 2 ,...,s′ n ),
compute message digest W' = H 2 (m′||t′);
For i =1,2,. And n, T is calculated in turn j ′=s′ j ·G+(s′ j +c′ j )·P j ,Y′ j =s′ j ·W′+(s′ j +c′ j ) S ', calculate c' j+1 =H 1 (L,t′,W′,S′,m′,T j ′,Y′ j );
Verify equation c' 1 =c′ n+1 If yes, the sigma' is a legal signature; otherwise, the signature is invalid.
10. A system configured to enable a user to prove to other third party verifiers, via the system, that the user is a signer of a ring signature or to deny that the user is a signer of the ring signature after a ring signature has been generated.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210719552.2A CN115174101B (en) | 2022-06-23 | 2022-06-23 | SM2 algorithm-based repudiation ring signature generation method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210719552.2A CN115174101B (en) | 2022-06-23 | 2022-06-23 | SM2 algorithm-based repudiation ring signature generation method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115174101A true CN115174101A (en) | 2022-10-11 |
CN115174101B CN115174101B (en) | 2024-06-11 |
Family
ID=83488014
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210719552.2A Active CN115174101B (en) | 2022-06-23 | 2022-06-23 | SM2 algorithm-based repudiation ring signature generation method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115174101B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080133917A1 (en) * | 2006-12-04 | 2008-06-05 | Electronics And Telecommunications Research Institute | Ring authentication method for concurrency environment |
CN105187212A (en) * | 2015-08-07 | 2015-12-23 | 河海大学 | Schnorr ring signature scheme with specified verifiability |
WO2018119670A1 (en) * | 2016-12-27 | 2018-07-05 | 深圳大学 | Method and device for certificateless partially blind signature |
CN110912708A (en) * | 2019-11-26 | 2020-03-24 | 武汉大学 | Ring signature generation method based on SM9 digital signature algorithm |
-
2022
- 2022-06-23 CN CN202210719552.2A patent/CN115174101B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080133917A1 (en) * | 2006-12-04 | 2008-06-05 | Electronics And Telecommunications Research Institute | Ring authentication method for concurrency environment |
CN105187212A (en) * | 2015-08-07 | 2015-12-23 | 河海大学 | Schnorr ring signature scheme with specified verifiability |
WO2018119670A1 (en) * | 2016-12-27 | 2018-07-05 | 深圳大学 | Method and device for certificateless partially blind signature |
CN110912708A (en) * | 2019-11-26 | 2020-03-24 | 武汉大学 | Ring signature generation method based on SM9 digital signature algorithm |
Non-Patent Citations (2)
Title |
---|
濮光宁;侯整风;: "可选择关联和可转换的环签名方案研究", 井冈山大学学报(自然科学版), no. 01, 15 January 2020 (2020-01-15) * |
邓伦治;: "可验证其他成员是非签名者的环签名", 贵州师范大学学报(自然科学版), no. 01, 15 February 2013 (2013-02-15) * |
Also Published As
Publication number | Publication date |
---|---|
CN115174101B (en) | 2024-06-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108809658B (en) | SM 2-based identity base digital signature method and system | |
CN111342973B (en) | Safe bidirectional heterogeneous digital signature method between PKI and IBC | |
CN108989050B (en) | Certificateless digital signature method | |
US7853016B2 (en) | Signature schemes using bilinear mappings | |
CN110138567B (en) | ECDSA (electronic signature system) based collaborative signature method | |
CN110086599B (en) | Hash calculation method and signcryption method based on homomorphic chameleon Hash function | |
CN113300856B (en) | Heterogeneous mixed signcryption method capable of proving safety | |
CN113162773B (en) | Heterogeneous blind signcryption method capable of guaranteeing safety | |
CN111245625B (en) | Digital signature method without certificate aggregation | |
CN108449326B (en) | Authentication method and system for heterogeneous repudiation | |
CN111654366A (en) | Secure bidirectional heterogeneous strong-designation verifier signature method between PKI and IBC | |
CN110943845A (en) | Method and medium for cooperatively generating SM9 signature by two light-weight parties | |
CN115529134A (en) | Identity-based proxy blind signature method on lattice | |
US7975142B2 (en) | Ring authentication method for concurrency environment | |
CN109064170B (en) | Group signature method without trusted center | |
CN112989436B (en) | Multi-signature method based on block chain platform | |
Zhou et al. | Three-round secret handshakes based on ElGamal and DSA | |
CN112383403A (en) | Heterogeneous ring signature method | |
Bicakci et al. | SAOTS: A new efficient server assisted signature scheme for pervasive computing | |
JP2004526387A (en) | Ring-based signature scheme | |
CN115174101B (en) | SM2 algorithm-based repudiation ring signature generation method and system | |
KR100525124B1 (en) | Method for Verifying Digitally Signed Documents | |
CN115174053B (en) | Signature generation method and device for repudiation ring authentication based on SM9 algorithm | |
CN112636918B (en) | Efficient two-party collaborative signature method based on SM2 | |
Goyal | More efficient server assisted one time signatures |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant |