CN1801702A - Distributed network interactive identity authentication method based on zero-knowledge - Google Patents

Distributed network interactive identity authentication method based on zero-knowledge Download PDF

Info

Publication number
CN1801702A
CN1801702A CN 200410099365 CN200410099365A CN1801702A CN 1801702 A CN1801702 A CN 1801702A CN 200410099365 CN200410099365 CN 200410099365 CN 200410099365 A CN200410099365 A CN 200410099365A CN 1801702 A CN1801702 A CN 1801702A
Authority
CN
China
Prior art keywords
random
communication
random number
point
opposing party
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 200410099365
Other languages
Chinese (zh)
Inventor
张大陆
刘敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tongji University
Original Assignee
Tongji University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tongji University filed Critical Tongji University
Priority to CN 200410099365 priority Critical patent/CN1801702A/en
Publication of CN1801702A publication Critical patent/CN1801702A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention provides a distributed network interactive ID identification method based on zero knowledge, which comprises: selecting a conic curve of finite field with a random point on public path by both communication sides; with a selected random number as private key, calculating the product of random point and number, sending the public key of said curve, random point and said product to another side; when transferring information, embedding another side as the point of conic curve; when enciphering, selecting a random positive integer to calculate key by public key from another side and transfer the key to opposite; when deciphering, calculating plaintext with private key. This invention is more fit to new P2P, Grid and other environments.

Description

A kind of distributed network interactive identity authentication method based on zero knowledge
Technical field
The present invention relates to a kind of method that is suitable for carrying out in the distributed network interactive identity authentication, discriminating.Belong to computer network security field.
Background technology
Mainly be by authentication public key PKI system about the method for in network, carrying out authentication at present.PKI is a PKIX, the infrastructure that the information security service is provided of utilizing the PKI theory and technology to set up exactly.PKI authenticates by certificate, and the other side knows that you are exactly you during authentication, but can't know why you are you.Here, certificate is that a believable third party proves, by it, communicating pair can authenticate mutually safely, and does not worry that the other side palms off.Public key system is widely used for fields such as ca authentication, digital signature and cipher key change.But PKI not only relates to the problem of technological layer, also relates to the stage construction problems such as overall development strategy of E-Government, ecommerce and national information.Authentication public key need consider that CA (authentication center) sends out the credibility of the CA certificate of awarding, and at first will consider to set up traditional public key encryption certification chain.The authentication of this mode does not just become very difficult when not having a fixing credible third party in the environment.
Zero Knowledge Authentication is to utilize the identity person's of being proved to be private key as its " identity " function at first, and by using zero-knowledge proof, the certifier can prove the private key that it knows oneself, and proves out the identity of oneself thus.The fail safe of this proof of identification is based on difficulty that the big several factor decomposes, so but because too big unsatisfactory with the mutual amount of external information.
The ElGamal algorithm can be used for data encryption also can be used for digital signature, and its fail safe depends on calculates this difficult problem of discrete logarithm on the finite field.At first select a prime number p, two random number g and x, g wherein, x<p calculates
y=g x(mod?p) (1)
The x mod p here is meant the remainder of x divided by the p gained.Then its PKI is y, and g and p, private key are x.G and p can be shared by one group of user.ElGamal is used for digital signature, is M by label information, at first selects a random number k, and k and p-1 are relatively prime, calculates
a=g k(mod?p) (2)
Again with expansion Europe utmost point Li De algorithm to following equation solution b:
M=xa+kb(mod?p-1) (3)
Signature is exactly that (a, b), random number k must abandon.To verify following formula during checking:
y a*a b(mod?p)=g M(mod?p) (4)
The ElGamal algorithm is used for encrypting.Encrypted information is M, at first selects a random number k, and k and p-1 are relatively prime, calculates
a=g k(mod?p) (5)
b=y kM(mod?p) (6)
(a b) is ciphertext, is two double-lengths expressly.Calculate during deciphering
M=b/a x(mod?p) (7)
Utilizing the ElGamal algorithm to realize that identity is differentiated to have generally needs the identity of CA identification strategy same disadvantages, and promptly the authentication of this mode just becomes very difficult when not having a fixing credible third party in the environment.
Summary of the invention
The invention provides a kind of identity authentication schemes that on conic section, utilizes the ElGamal cryptographic algorithm to realize zero knowledge.
The realization Fundamentals of Mathematics of conic section cryptographic system: F pFor p unit finite field (p is an odd prime), consider affine plane A 2(F p) on conic section C
C:y 2=(ax 2-bx)mod?p a,b∈F p,a,b≠0 (8)
Initial point O (0,0) if x ≠ 0 makes y=xt, is got by formula (8) on conic section C
x(a-t 2)=bmod?p a≠t 2 (9)
Get x=b (a-t by formula (9) 2) -1, with the y=xt substitution wherein, y=bt (a-t then 2) -1, x wherein -1Be meant the inverse element of x on the finite field.
To this conic section territory C (F p) the last addition that puts.Initial point O is designated as a P (∞).Make H={t ∈ Fp, t 2≠ a}U{ ∞ }, to arbitrfary point P (t) ∈ C (F p), wherein parametric t ∈ H defines
P(t)P(∞)=P(∞)P(t)=P(t);
If 2 P (t on the conic section 1), P (t 2) ∈ C (F p), parametric t wherein 1, t 2∈ H, t 1, t 2≠ ∞
P(t 1)P(t 2)=P(t 3)
t 3 = ( t 1 t 2 + a ) ( t 1 + t 2 ) - 1 ( t 1 + t 2 ) ≠ 0 ∞ ( t 1 + t 2 ) = 0 - - - ( 11 )
(C (F p), , P (∞)) this tlv triple formation finitely Abelian group.
For reaching the object of the invention, the present invention adopts ElGamal public key encryption, the decryption mechanisms based on conic section, and its technical scheme is as follows,
A kind of distributed network interactive identity authentication method based on zero knowledge:
At first first and second are in advance at a conic section of selecting on the disclosed passage on the finite field, and random point belongs to this conic section, this point is wanted to generate a very big subgroup, and this subgroup is preferably the same big or more approaching with the group that conic section itself is constituted;
First is selected the private key of a random number as it, and calculates the long-pending of random point and random number, and with above-mentioned curve, random point and its amass the PKI as first, and it is transferred to second;
Second is selected the private key of a random number as second, and calculates the long-pending of random point and random number, and with above-mentioned curve, random point and its amass the PKI as second, and it is transferred to first;
Suppose that first will transmit information to second, at first it is embedded as the form of putting on the conic section;
The selected positive integer that produces at random of first is utilized the PKI of second to calculate password, and it is transferred to second during encryption;
Second is calculated during deciphering, utilizes private cipher key to calculate from ciphertext expressly.
The present invention adopts the fail safe of agreement to be based on the calculating of discrete logarithm on the conic section, compare with the authentication of traditional PKI architecture, this method does not need regularly CA center unified in gamut, more is applicable to emerging P2P, Grid distributed system environments.Compare the conic section password with elliptic curve at the radix of determining algebraic curve, thereby make it to contain big prime factor, expressly slip into the coding and decoding of algebraic curve, three aspects of encrypting and decrypting are more simple, convenient.
Embodiment
Further specify the present invention below in conjunction with embodiment.
A conic section on the selected finite field, and the random point that belongs to conic section.First is selected the private key of a random number as first, and calculates the long-pending of random point and random number, with above-mentioned curve, and random point and its long-pending PKI as first.
As shown in Figure 1, simple identity authentication protocol carries out as follows:
(a) first is chosen a positive integer k at random, and according to formula (10), (11) calculate k (aP), and send to second.
(b) second produces a random order b.According to formula (10), (11) calculate ip according to this random parameter, and i is the random number that second produces.With (b M) sends to first.
(c) nail root is according to receiving that b value determines to issue the return value of second or for k or be a (M).
(d) second is verified according to the difference of random order b value, and the confirmation first is known a.
Above this is that the single-wheel of agreement identifies that first and second repeat agreement t time, till second be sure of that first is known key a or denied that this asserts.
(p) is relevant with p to suppose that function phi is arranged, and the probability P r that requires first deception second is during less than 1/ φ (p), and second receives the identity of first.
Pr=2 -t<1/φ(p) (12)
Release t>log 2φ (p) (13)
Get Satisfy condition.At this moment, the operation times that first will be done on C is made as fp, so
kt≤f p≤(a+k)t (14)
Wherein k is the random number that first is chosen, and t is the agreement number of run, and a is the private key of first, and the operation times that second will be done on C is made as f V, so
tmin(2i,k)≤f V≤tmax(2i,k) (15)
T wherein, k value cotype (14), i are the random number that second produces.
Parallel structure can increase every quantity of taking turns evaluation and can effectively reduce first and the mutual number of times of second.The parallel structure key of above-mentioned agreement is in second step, allows second produce the random binary string b of s position 1, b 2..., b sReplacing b, is non-vanishing b simultaneously tProduce positive integer i at random t, with (b 1, M 1) ..., (b s, M s) send to first, work as b tM when being zero tBe zero, work as b tM when non-vanishing tBe i tP.
Selected finite field F pA conic section C on (being odd prime among its p), and random point P ∈ C.First is selected s random number a 1, a 2..., a s∈ 1,2 ..., the private key of p-1} conduct oneself, and calculate a 1P, a 2P ..., a sP is with (C, P, a 1P, a 2P ..., a sP) as the PKI of first.
Parallel identity authentication protocol is as follows:
(1) first is chosen one positive integer k is according to formula (10) at random, and (11) calculate k (aP), wherein (a=a 1+ a 2+ ... + a s), and X sent to second.
(2) second produces a random bit string b 1, b 2..., b s
Be non-vanishing b tProduce positive integer i at random t, work as b tM when being zero tBe zero, work as b tM when non-vanishing tBe i tP is with (b 1, M 1) ..., (b s, M s) send to first.
(3) first is calculated according to formula (10), (11) Σ t = 1 s a t M t + ( Σ t = 1 s a t ) kP And send to second;
Whether what (4) the second checking was received equals Σ t = 1 s i t ( b t a t P ) + kaP Value.
The fail safe about agreement that draws above has the condition of an acquiescence, and promptly all participants comprise that normal participant's first, second and attacker's first, second all strictly observe the regulation of agreement.If an assailant the third is arranged now, pass through in agreement, to increase an overtime restriction t in the present embodiment TimeoutPrevent to attack.
Be example with the simple identity authentication schemes still below, it is as follows to revise agreement:
(1) first is chosen a positive integer k at random, and according to formula (10), (11) calculate k (aP), and with X, time stamp T 1Send to second.
(2) whether second is at first overtime according to the timestamp checking of first, if then should the wheel agreement cancel, then produces a random order b if not.If b=0, M=0, if b=1, second produces positive integer i at random, M=iP; With (b M) sends to first with time stamp T 2.
(3) first is at first judged, overtime then this wheel agreement stops, b=0 else if, and first sends to second with k; If b=1, first is according to formula (10), and (11) calculate a (M), and Y is sent to second.
(4) second is at first judged, overtime then this wheel agreement stops, b=0 else if, and second checking X=k (aP) confirms that it knows the random normal number k that makes X=k (aP); If b=1, second checking Y=i (aP) confirms that it knows a.

Claims (2)

1, a kind of distributed network interactive identity authentication method based on zero knowledge may further comprise the steps:
Communicating pair is a conic section on selected finite field on the disclosed passage in advance, and belongs to the random point on this conic section,
Communication one side selectes a random number as its private key, and calculates the long-pending of random point and random number, amasss with it with described curve, random point and is transferred to the opposing party that communicates by letter as its PKI;
Communication the opposing party selectes a random number as its private key, and calculates the long-pending of random point and random number, amasss with it with above-mentioned curve, random point and as its PKI it is transferred to the side that communicates by letter;
When communication one side is transmitted information with the opposing party that communicates by letter, at first it is embedded as the form of putting on the conic section,
During encryption, the selected positive integer that produces at random of communication one side is utilized communication the opposing party's PKI to calculate password, and it is transferred to the other side,
During deciphering, communication the opposing party calculate, and utilizes private cipher key, calculates from ciphertext expressly.
2, the distributed network interactive identity authentication method based on zero knowledge according to claim 1 is characterized in that: comprise in the described transmission information process-overtime restriction.
CN 200410099365 2004-12-30 2004-12-30 Distributed network interactive identity authentication method based on zero-knowledge Pending CN1801702A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200410099365 CN1801702A (en) 2004-12-30 2004-12-30 Distributed network interactive identity authentication method based on zero-knowledge

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200410099365 CN1801702A (en) 2004-12-30 2004-12-30 Distributed network interactive identity authentication method based on zero-knowledge

Publications (1)

Publication Number Publication Date
CN1801702A true CN1801702A (en) 2006-07-12

Family

ID=36811487

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200410099365 Pending CN1801702A (en) 2004-12-30 2004-12-30 Distributed network interactive identity authentication method based on zero-knowledge

Country Status (1)

Country Link
CN (1) CN1801702A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969377A (en) * 2010-10-09 2011-02-09 成都市华为赛门铁克科技有限公司 Zero-knowledge identity authentication method and system
CN102487379A (en) * 2010-12-01 2012-06-06 李洪伟 Identity-based grid authentication protocol
WO2016112575A1 (en) * 2015-01-12 2016-07-21 北京科技大学 Cryptographic construction method and system for set member relationship determination
CN113904772A (en) * 2021-09-26 2022-01-07 杭州弦冰科技有限公司 Non-interactive zero-knowledge proof elliptic curve private key encryption backup method and device
CN114598479A (en) * 2022-03-29 2022-06-07 南京邮电大学 Face recognition privacy protection identity authentication method based on zero-knowledge proof

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969377A (en) * 2010-10-09 2011-02-09 成都市华为赛门铁克科技有限公司 Zero-knowledge identity authentication method and system
CN101969377B (en) * 2010-10-09 2012-09-05 成都市华为赛门铁克科技有限公司 Zero-knowledge identity authentication method and system
CN102487379A (en) * 2010-12-01 2012-06-06 李洪伟 Identity-based grid authentication protocol
WO2016112575A1 (en) * 2015-01-12 2016-07-21 北京科技大学 Cryptographic construction method and system for set member relationship determination
CN113904772A (en) * 2021-09-26 2022-01-07 杭州弦冰科技有限公司 Non-interactive zero-knowledge proof elliptic curve private key encryption backup method and device
CN114598479A (en) * 2022-03-29 2022-06-07 南京邮电大学 Face recognition privacy protection identity authentication method based on zero-knowledge proof

Similar Documents

Publication Publication Date Title
Sun et al. Threshold proxy signatures
US8130964B2 (en) Systems and methods for identity-based encryption and related cryptographic techniques
CN109462481B (en) Secret signcryption method based on asymmetric bilinear pairings
US7221758B2 (en) Practical non-malleable public-key cryptosystem
Toorani et al. An elliptic curve-based signcryption scheme with forward secrecy
CN1186580A (en) Computer-assisted method for exchange of crytographic keys between user computer and network computer unit
CN108650097B (en) Efficient digital signature aggregation method
CN1902853A (en) Method and apparatus for verifiable generation of public keys
US20120096273A1 (en) Authenticated encryption for digital signatures with message recovery
CN101051902A (en) Agent signcryption method and system
CN1423451A (en) Enciphered key based on time
CN102035647A (en) Asymmetric key agreement method for enhancing protection
CN1264974A (en) Digital signature method using elliptic curve encryption algorithm
CN1761186A (en) Method for distributing net key
CN1688176A (en) Method for implementing wireless authentication and data safety transmission based on GSM network
CN102035646B (en) Mixed key agreement method for enhancing protection
WO2012147001A1 (en) Data encryption
CN106453253B (en) A kind of hideing for efficient identity-based signs decryption method
CN1260664C (en) Method for exchanging pins between users' computers
CN1483260A (en) Method and device for detecting a key pair and for generating rsa keys
Wang et al. Provable secure generalized signcryption
CN117879833A (en) Digital signature generation method based on improved elliptic curve
Khullar et al. An efficient identity based multi-receiver signcryption scheme using ECC
CN1801702A (en) Distributed network interactive identity authentication method based on zero-knowledge
CN114389808B (en) OpenID protocol design method based on SM9 blind signature

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication