CN103297241A - Construction method for one-time anonymous signcryption of public key - Google Patents

Abstract

The invention discloses a construction method for one-time anonymous signcryption of public key and aims to complete the construction method for the one-time anonymous signcryption of the public key by the aid of a computer system. The computer system comprises a UA (user A), a UB (user B) and a TC (trusted center), and the UA, the UB and the TC are mutually communicated. The construction method includes seven steps of 1), generating computer system public key; 2), generating user partial secret key; 3), generating user secret key; 4), generating one-time public key; 5), subjecting the one-time public key to validity verification; 6), performing signcryption; 7), unsigncrypting. Compared with the prior art, the construction method has both anonymity and traceability, and can effectively prevent one-time attacks of malicious users and untrusted attacks from the TC inside a system. Meanwhile, the construction method has high computational efficiency and low communication costs as compared with conventional methods.

Description

The close building method of the anonymous label of a kind of disposable PKI

Technical field

The invention belongs to field of information security technology, be specifically related to the close building method of the anonymous label of a kind of disposable PKI.

Background technology

Because network opening and sharing, cause subjecting to various malicious attacks, the network user often is faced with leakage as important informations such as password, numbers of the account, loses or destroy the safety problem of data integrity in communication transmission process.The sensitive data of protection user transmission has usually based on the certificate public key cryptosyst, based on modes such as identity and blind signatures.

(Certificate Based Public Key Cryptosystem) refers to user U based on the certificate public key cryptosyst _iAccording to the private key s of self _iCalculate and generate PKI P _i, then to trusted certificates authorization center CA(Cerrificate Authentication) and submit certificate request to, obtain to issue certificate Cert _iThis certificate is with user U _iThe same P of identity _iCarry out effectively bind, comprised information such as user name, user's public information, the client public key term of validity at least.CA is responsible for the management of all user certificates, guarantees the validity of certificate.If user's sensitive information leakage, CA need spend that the regular hour nullifies and issue certificate again.Therefore, have the excessive challenge of certificate management expense based on the certificate public key cryptosyst, efficient is not high.

Public-key cryptosystem (Identity Based Public Key Cryptosystem) based on identity proposes in order to solve based on certificate public key cryptosyst management " bottleneck " problem, main thought be the user with oneself user profile (for example, user name and network ip address) as own PKI, by private key generation center KGC(Key Generation Center) generate corresponding private key.The uniqueness of user profile (for example, user's addresses of items of mail, telephone number or office number) owing to do not need user certificate that user identity is carried out effectively bind with PKI, just no longer needs certificate of certification.And user's private key must generate center KGC calculating generation by private key, so the unsafe problems that just can avoid the user to forge private key, if namely user self can calculate the generation private key, he also just can calculate other users' private key.But generate among the KGC of center because all users' private key all leaves private key in, just produced the new safety problem of key escrow.In addition, use same identity also will expose user's sensitive information for a long time.

Blind signature (Blind Signature Systems) can propose for the tracking of bearing the signature effective information for fear of signer, and its key step is:

(1) user blinds processing and will blind information m the origination message m that will sign _tSend to signer;

(2) signer is to blinding message m _tSign, blind signature information and be

And send to the user;

(3) user is at first to blinding signature information

Go to blind, obtain the information signature message m '.

In blind signature scheme, signer is not only known all the elements of signature information, does not know object and time that oneself is signed yet, has guaranteed the confidentiality of message and the unforgeable of signature like this.But owing to the not traceable property of blind signature, can't determine the identity of malicious user, bring the chance of being engaged in unlawful activities to malicious user.

Therefore, in order to realize the safety of user privacy information, can unite the identity that trusted party discloses malicious user again, document [1] has proposed disposable blind PKI thought, utilize RSA and Fiat-Shamir identity authentication schemes, constructed the disposable blind PKI scheme based on identify label.Trusted party only needs issue private key one time to the user in scheme, when each the use user just available its generate different PKIs.But this scheme is also dangerous, and the disabled user can forge private key and certificate, makes signature and cheats.Document [2] has proposed the disposable public key cryptosyst based on identity, user's anonymity and the irrelevance between activity have been guaranteed, follow the trail of and disclose the identity of malicious user, but document [3] points out that the scheme of document [2] is also dangerous, registration and nonregistered user all can forge a signature.Document [4] has proposed the disposable PKI anonymous authentication scheme in the general environment, and has proved its fail safe, has strong anonymity, and calculating and the traffic are less, but scheme is also dangerous under general environment, and the recipient faces the threat of the disposable attack of malicious entities.

Such scheme all is signature authentication, and signs close algorithm has just been realized information simultaneously in a logic step confidentiality and non-repudiation, with traditional authentication mode relatively, signs close have lower communication overhead and amount of calculation still less.Document [5] has proposed disposable PKI scheme based on identity based on signing close thought, and efficient is higher, but scheme can not be resisted the malicious attack of trusted party.

Above-mentioned document [1] to document [5] is respectively:

[1] Zhang Qiupu, Guo Baoan. based on the disposable PKI [J] of ID. electronic letters, vol, 2003,31 (5): 769-771.

[2] Zhang Sheng, Xu Guoai, Hu Zhengmin etc. a kind of structure based on the disposable PKI of identity [J]. electronics and information journal, 2006,28 (8): 1412-1415.

[3] Zhen Honggu, Chen Yue, Li Le etc. based on disposable PKI analysis and the reconstruct [J] of identity. computer engineering, 2010,36 (1): 187-189.

[4] Luo Changyuan, Huo Shiwei, Xing Hongzhi. in the general environment based on the anonymous authentication scheme [J] of disposable PKI. communication journal, 2012,33 (2): 93-98.

[5] Li Yi, Zhang Shaowu, Zhang Yuanyang etc. a kind of new disposable public key cryptosyst [J]. computer engineering, 2008,34 (7): 168-170.

Summary of the invention

At the problem that exists in the middle of the above-mentioned prior art, the purpose of this invention is to provide the close building method of the anonymous label of a kind of disposable PKI, exist in the solution prior art: exist the certificate management expense excessive based on the certificate public key cryptosyst; The long-term sensitive information that uses same identity will expose the user; Lack traceability, can't determine the identity of malicious user; The disabled user can forge private key and certificate, makes signature and cheats; Registration and nonregistered user all can forge a signature; The recipient faces the threat of the disposable attack of malicious entities under general environment; Can not resist the problems such as malicious attack of trusted party.

In order to realize above-mentioned task, the technical solution used in the present invention is:

The present invention relates to the three parts altogether, that is: user side U _A, user side U _BAnd a trusted party TC, wherein user side U _A, user side U _BIntercommunication with trusted party TC.It is 7 steps that this method is divided into, and the first step is to generate the computer system PKI, and second step was to generate the User Part key, the 3rd step was to generate user key, and the 4th step was to generate disposable PKI, and the 5th step was the legitimate verification of disposable PKI, the 6th step was that label are close, and the 7th step was that solution is signed close.

The close building method of the anonymous label of a kind of disposable PKI, this method utilize computer system to finish the close structure of the anonymous label of disposable PKI, and described computer system comprises user side U _A, user side U _BAnd a trusted party TC, wherein user side U _A, user side U _BIntercommunication with trusted party TC; Described computer system is set up and to user side U _A, user side U _BAnd the open system parameters of trusted party TC, this system parameters comprises: P, q, G ₁, G ₂, H ₁, H ₂, H ₃Wherein P is a point on the elliptic curve, and the equation of this elliptic curve is: y ³=x ³+ ax+b, a and b are constant; G ₁, G ₂Be two groups that generated by P, G ₁, G ₂Rank be prime number q, G ₁Be circled addition group, G ₂Be the circulation multiplicative group, at group G ₁, G ₂Middle discrete logarithm problem is for being difficult to resolve problem; G ₁, G ₂Exist relation as follows:

In the formula, For bilinearity to the mapping;

Described H ₁, H ₂And H ₃Be the secure Hash function, be expressed as follows: H ₁: { 0,1} ^*→ G ₁,

$H_2:\{\mathrm{0,1}{\}}^{*}\×G_1\→Z_q^{*},$ $H_3:\{\mathrm{0,1}{\}}^{*}\→Z_q^{*};$

This method specifically may further comprise the steps:

Step 1 generates the computer system PKI:

Trusted party TC picked at random P ∈ G ₁,

And calculate g=sP, wherein g be system's PKI and by trusted party TC to user side U _A, user side U _BOpen; S is system's master key and preserves by trusted party TC is secret;

Step 2 generates the User Part key:

1) note user side U _AIdentity is ID _A, note user side U _BIdentity is ID _B, user side U _APicked at random Calculate Y _A=z _AP, and with identity ID _AAnd Y _ASend to trusted party TC; User side U _BSelect at random Calculate Y _B=z _BP, and with identity ID _BAnd Y _BSend to trusted party TC;

2) utilize the mode of zero-knowledge proof to user side U at trusted party TC _AIdentity ID _AAnd Y _AAfter row is confirmed, trusted party TC picked at random

Carry out X successively ₁=x _AP, X _A=X ₁+ Y _A, Q _A=H ₁(ID _A, X _A), d _A=x _A+ sQ _A, obtain user side U _APart key d _A, and with d _A, X _ASend to user side U _A

Similarly, trusted party TC utilizes the mode of zero-knowledge proof to user side U _BIdentity ID _BAnd Y _BAfter confirming, trusted party TC picked at random

Carry out X successively ₂=x _BP, X _B=X ₂+ Y _B, Q _B=H ₁(ID _B, X _B), d _B=x _B+ sQ _B, obtain user side U _BPart key d _B, and with d _B, X _BSend to user side U _B

Step 3 generates user key:

User side U _ACalculate y _A=z _A+ d _A, judge equation X ₁+ gH ₁(ID _A, X _A)=d _AThe part key whether P becomes Rob Roy checking trusted party TC to generate; If X ₁+ gH ₁(ID _A, X _A)=d _AThe P equation is set up, then with y _AAs user side U _AKey; Otherwise return step 2;

User side U _BCalculate y _B=z _B+ d _B, judge equation X ₂+ gH ₁(ID _B, X _B)=d _BP verifies the part key that trusted party TC generates; If equation X ₂+ gH ₁(ID _B, X _B)=d _BP sets up, then with y _BAs user side U _BKey; Otherwise return step 2;

Step 4 generates disposable PKI:

User side U _APicked at random

Calculate W _A=ky _AP, V _A=kX _A, K _A=kPQ _A, obtain user side U _ADisposable PKI＜W _A, V _A, K _A;

User side U _BPicked at random

Calculate W _B=ly _BP, V _B=lX _B, K _B=lPQ _B, obtain user side U _BDisposable PKI＜W _B, V _B, K _B;

Step 5, disposable PKI legitimate verification:

User side U _BThe checking equation: $\hat{e}(V_A,P)\·\hat{e}(K_A,g)=\hat{e}(W_A,P)$ And equation $\hat{e}(K_A,X_A)=\hat{e}(V_A,Q_{A}P)$ Whether set up, if two equatioies are all set up, then show user side U _APKI and identity legal, otherwise return step 2;

User side U _AThe checking equation $\hat{e}(V_B,P)\·\hat{e}(K_B,g)=\hat{e}(W_B,P)$ And equation $\hat{e}(K_B,X_B)=\hat{e}(V_B,Q_{B}P)$ Whether set up, if two equatioies are all set up, then show user side U _BPKI and identity legal, otherwise return step 2;

Step 6, sign close:

User side U _AMessage m is signed the close user side U that sends to _B, detailed process is as follows:

1) user side U _APicked at random Calculate R=rP;

2) user side U _ACalculate h=H ₂(R, ID _A, m) and p _A=r/ (z _A+ d _A), wherein,＜h, p _AIt is the signature to message m;

3) user side U _ACalculate t=ky _AW _BWith

Wherein, c is the encryption to message; To sign dense civilian σ=＜h, p _A, c〉and send to user side U _B

Step 7, it is close to separate label:

User side U _BReceive user side U _AAfter the ciphertext that sends, separate and sign close operation, detailed process is as follows:

1) user side U _BCalculate t'=ly _BW _A, recover message

2) user side U _BCalculate R'=p _A(X _A+ gH ₁(ID _A, Y _A)), h'=H ₂(R', ID _A, m);

3) user side U _BJudge, if h'=h sets up, the signature verification success is described, user side U _BReceive message, otherwise rejection message.

Method of the present invention is compared with existing method has anonymity and traceability, and the while can effectively prevent the disposable attack of malicious user and attack from the non-trust of internal system trusted party.Simultaneously, this method is compared with existing method and is also had higher operation efficiency and lower communication overhead.

Description of drawings

Fig. 1 is the overall flow figure of the inventive method;

Fig. 2 generates figure for system's PKI;

Fig. 3 generates figure for the part key;

Fig. 4 generates figure for user key;

Fig. 5 is that disposable PKI generates figure;

Fig. 6 is for signing close figure;

Fig. 7 signs close figure for separating;

Fig. 8 is performance evaluation figure of the present invention;

The present invention is described in detail below in conjunction with the drawings and specific embodiments.

Embodiment

Below in conjunction with the drawings and specific embodiments technical scheme of the present invention is further elaborated.

One, symbol description

Related symbol description sees the following form 1 in the literary composition

Table 1 symbol description

Two, embodiment

In Fig. 3 to Fig. 7, for convenience of explanation, the i=A among the figure or B, that is:

Symbol description among table 2 Fig. 3 to Fig. 7

As shown in Figure 2: establish G ₁, G ₂Be respectively the circled addition group and the circulation multiplicative group that are generated by P, P is a point on the elliptic curve, and elliptic curve is an algebraic curve, and the equation of this elliptic curve is: y ²=x ³+ ax+b, wherein a, b are constant; This elliptic curve is no singular point, does not have cusp or self intersection.G ₁, G ₂Discrete logarithm problem (DLP problem) among the group is for being difficult to resolve problem, and its rank are prime number q.

Be a bilinearity to mapping, be expressed as

Define safe Hash function: H ₁: { 0,1} ^*→ G ₁,

Trusted party TC picked at random P ∈ G ₁, Calculate g=sP, g is system's PKI, and s is system's master key and secret the preservation, open system parameters＜P, q, G ₁, G ₂, g, H ₁, H ₂, H ₃.

As shown in Figure 3: suppose user side U _iBe user side U _AWith user side U _BUser side U _AIdentity is ID _A, user side U _BIdentity is ID _BUser side U _APicked at random

Calculate Y _A=z _AP is with identity ID _AAnd Y _ASend to trusted party TC.User side U _BSelect at random

Calculate Y _B=z _BP is with identity ID _BAnd Y _BSend to trusted party TC.

Trusted party TC uses the mode of zero-knowledge proof to user side U _AIdentity ID _AAnd Y _AConfirm, namely to Y _AIn secret number z _AConfirm any user side U that pretends to be _A, because the jactitator does not know U _ASecret number z _A, just can't calculate and generate correct Y _AValue.

At the user side U of trusted party TC _AIdentity ID _AAnd Y _AAfter confirming, trusted party TC picked at random

Calculate X ₁=x _AP, X _A=X ₁+ Y _A, Q _A=H ₁(ID _A, X _A), d _A=x _A+ sQ _A, and with＜d _A, X _ASend to user side U _A, d _ABe user side U _AThe part key.In like manner, the user side U of trusted party TC _BIdentity and Y _BAfter confirming with the mode of zero-knowledge proof, trusted party TC picked at random

Calculate X ₂=x _BP, X _B=X ₂+ Y _B, Q _B=H ₁(ID _B, X _B), d _B=x _B+ sQ _B, and with＜d _B, X _BSend to user side U _B, d _BBe user side U _BThe part key.Trusted party TC preserves＜X _A, Q _A, ID _AAnd＜X _B, Q _B, ID _B, respectively as confirming user side U _AWith user side U _BThe backup of identity.

As shown in Figure 4: user side U _ACalculate y _A=z _A+ d _A, judge equation X ₁+ gH ₁(ID _A, X _A)=d _AP verifies the part key that trusted party TC generates, if the equation establishment, then with y _AAs user side U _AKey.User side U _BCalculate y _B=z _B+ d _B, judge equation X ₂+ gH ₁(ID _B, X _B)=d _BP verifies the part key that trusted party TC generates, if the equation establishment, then with y _BAs user side U _BKey.

As shown in Figure 5: user side U _APicked at random

Calculate W _A=ky _AP, V _A=kX _A, K _A=kPQ _A, user side U _ADisposable PKI be＜W _A, V _A, K _A.User side U _BPicked at random

Calculate W _B=ly _BP, V _B=lX _B, K _B=lPQ _B, user side U _BDisposable PKI be＜W _B, V _B, K _B.

Before label were close, two users needed mutual disposable PKI to the other side carry out legitimate verification:

1) user side U _ADisposable PKI legitimate verification

User side U _BNeed the checking equation Correctness.If correct, then show user side U _ARegister at trusted party TC.Proof procedure is as follows:

$\hat{e}(V_A,P)\·\hat{e}(K_A,g)=\hat{e}(k\·X_A,P)\·\hat{e}(k\·Q_A\·P,g)$

$=\hat{e}(k\·(x_A+z_A)P,P)\·\hat{e}(k\·Q_A\·P,\mathrm{sP})$

$=\hat{e}(k\·(x_A+z_A)P,P)\·\hat{e}(k\·s\·Q_A\·P,P)$

$=\hat{e}(k\·(x_A+z_A+s\·Q_A)P,P)$

$=\hat{e}(W_A,P)$

2) in order to ensure trusted party TC where necessary to user side U _ATraceability, just in case user side U _ABe malicious user, then enough disclose its identity, user side U _BAlso need verify equation

Correctness, if correct, then be validated user.Proof procedure is as follows:

$\hat{e}(K_A,X_A)=\hat{e}(k\·Q_A\·P,X_A)$

$=\hat{e}(k\·X_A,Q_A\·P)$

$=\hat{e}(V_A,Q_A\·P)$

In like manner, user side U _AAlso need user side U _BDisposable PKI＜W _B, V _B, K _BLegitimacy and equation $\hat{e}(K_B,X_B)=\hat{e}(V_B,Q_{B}P)$ Correctness verify.

As shown in Figure 6: user side U _APicked at random

Calculate R=rP successively, h=H ₂(R, ID _A, m), p _A=r/ (z _A+ d _A), then＜h, p _AIt is the signature to message m.User side U _ACalculate t=ky _AW _B,

Wherein be that c is the encryption to message.To sign dense civilian σ=＜h, p _A, c〉and send to user side U _B

As shown in Figure 7: user side U _BAfter receiving the dense literary composition of label, calculate t'=ly _BW _A, recover message

User side U _BCalculate R'=p _A(X _A+ gH ₁(ID _A, X _A)), h'=H ₂(R', ID _A, m).If h'=h sets up, the signature verification success is described, the user receives message, otherwise refusal.

Three, security proving of the present invention

(1) correctness proof: after the user utilizes the close message σ of label that receives, separate and sign close operation.

1)t'＝l·y _B·W _A

＝l·y _B·k·y _A·P

＝k·y _A·W _B

＝t

If the result of calculation t ' of this formula=t, then description messages m can be resumed.

2)R'＝p _A(X _A+g·H ₁(ID _A,X _A))

＝r(X _A+g·H ₁(ID _A,X _A))/(x _A+d _A)

＝r(z _AP+x _AP+s·H ₁(ID _A,X _A)·P)/(x _A+d _A)

＝rP(x _A+d _A)/(x _A+d _A)

＝R

If can correctly calculate R '=R, then proved the validity of checking.

(2) fail safe proves

1) substantivity

In the certificate public key cryptosyst of tradition based on PKI, CA(Certificate Authority) be responsible for carrying out the authentication of this user identity according to the PKI that the user submits to, promulgate related credentials proof user's identity and the legitimacy of PKI.Yet the administration overhead of digital signature is excessive, recipient user is before authentication transmit leg user's signature, need obtain the certificate of transmit leg earlier verifies, this means that authentication signature will carry out a step more, caused the efficient of authentication not high, especially when in the network during authenticated user enormous amount.And scheme trusted party TC in this paper only registers and calculates＜X in the identity of system initialization and part key generation phase participating user _i, Q _i, d _i, signing the close stage in the close reconciliation of label, trusted party TC does not carry out any operation, and the user can directly authenticate, and has alleviated the burden of trusted party TC, has deleted to authenticate unnecessary step, has improved the efficient of authentication.

2) anonymity

Have randomness because the user chooses the numerical value that generates disposable PKI, just can guarantee to authenticate the dereferenced of both sides' the each disposable PKI that uses of user, can not take place to use same identity for a long time and the dangerous event that exposes user's sensitive information.Now be illustrated with object lesson.User side U _APicked at random

Calculating disposable PKI is＜W _A, V _A, K _A.User side U _BPicked at random

Calculating disposable PKI is＜W _B, V _B, K _B.User side U _AWith user side U _BThen will select respectively next time

The disposable PKI of the different user of random number is also with difference, and therefore, the user can't be known the other side's true identity, has guaranteed the anonymity of verification process.

3) unforgeable

I) the authentication two parties can't be forged disposable PKI and be signed dense literary composition

Now be illustrated with object lesson.User side U _ACan't forge disposable PKI＜W _A, V _A, K _AAnd sign dense civilian σ.

If user side U _APicked at random

K ≠ k wherein ^*, then calculate

V _A=kX _A, Forge and generate disposable PKI

And send it to user side U _BUser side U _BAt first verify equation

Correctness, checking is passed through.But because k ≠ k ^*, user side U _BFind

Then can't be by checking.User side U _ACan't forge disposable PKI and cheat other users.Therefore, the authentication two parties all can't be forged the disposable PKI of oneself.

If user side U _ADisposable PKI＜W _A, V _A, K _ABy the checking equation

Then the provable master key s of system is contained in PKI W _AIn, same by checking equation t=t'=ly _BW _A, also the provable master key s of system is contained in PKI W _AIn, by checking equation R'=p _A(X _A+ gH ₁(ID _A, X _A)), provable p then _ABe by user side U _AD _AGenerate, comprise the master key s of system in the legal private key, thereby forge＜h, p _ABe infeasible.Therefore, the transmit leg user in the authentication can't forge and sign dense civilian σ.

Ii) the disabled user can't forge disposable PKI and sign dense literary composition arbitrarily

If user side U ^*Not at TC registration, user side U ^*Picked at random k,

Calculate W ^*=kX ^*+ k ^*GQ ^*, V ^*=kX ^*, K ^*=k ^*PQ ^*, user side U ^*Disposable PKI is＜W ^*, V ^*, K ^*.Recipient's user side is at first verified equation

Correctness, checking is passed through.But because user side U ^*Unregistered, can't obtain legal private key d ^*, then can't calculate p ^*, also just can't forge and sign dense civilian σ.

If user side U ^*Attempt to forge legal users end U _ADisposable PKI＜W _A, V _A, K _AAnd sign dense civilian σ, user side U* picked at random

Calculate W ^*=kW _A, V ^*=k ^*V _A, K ^*=k ^*K _A, the disposable PKI of user side U* is＜W ^*, V ^*, K ^*.User side U _BAt first verify equation Correctness, checking is passed through.But user side U ^*Can't obtain user's long-term private z _A, can not forge the dense civilian σ of effective label.Therefore, disabled user's end all can't be forged disposable PKI and sign dense literary composition arbitrarily.

4) the non-trust of opposing is attacked

Trusted party TC picked at random Calculate g=sP, X ₁=x _AP, Q _A=H ₁(ID _A, X _A), d _A=x _A+ sQ _A, s is system's master key, and with＜d _A, X _ASend to user side U _A, d _AAs user side U _AThe part key.Trusted party TC preserves＜X _A, Q _A, ID _A, as confirming user side U _AThe backup of identity.Trusted party TC chooses

Calculate W _TC=aW _A, V _TC=aV _A, K _TC=aK _A, the disposable PKI of trusted party TC is＜W _TC, V _TC, K _TC.Trusted party TC can pass through equation

Checking, if will obtain secret value r, just must calculate by equation R=rP, yet this problem is the DLP problem, though trusted party TC knows user side U _APart key d _A, but will be based on equation Y _A=z _AP obtains user's long term keys z _A, be a DLP problem too.Because for discrete logarithm is difficult to resolve problem, trusted party TC can't obtain user key z to the DLP problem on elliptic curve _A, can only disclose the identity of malicious user where necessary as the third party, attack and can not initiate non-trust.

5) resist disposable attack

In this programme, user side U _AGood Y will be calculated _AWith identity ID _ASend to trusted party TC together, obtained validated user identity ID by trusted party TC authentication _A, finished the first time and recipient's user side U according to algorithm operating then _BCommunication.If user side U _ABe malicious user, so user side U _AWhen communicating by letter for the second time to user side U _BLaunch a offensive user side U _BAssociating trusted party TC is by the checking equation Tracking has disclosed malicious user end U _ATrue identity, TC registers at trusted party.User side U _ACalculate disposable PKI earlier

And send to recipient user, user side U _BSigning the close Cheng Qian of crossing of close reconciliation label just to user side U _AIdentity verify, found user side U _ABe malicious user, refusal communicates, and has resisted disposable attack.Therefore, although user side U _ABe malicious user, but because user side U _BSigning the close Cheng Qian of crossing of close reconciliation label just to user side U _AIdentity verify, found the malicious user identity, so this method can be resisted disposable attack.

6) traceability

Propose a plan according to the present invention, computer system is the rogue activity that prevents the user, user side U _BCan disclose user side U by cooperation with trusted party TC _AIdentity during rogue activity.User side U _BWith user side U _A＜V _A, K _ASend to trusted party TC in order to disclose user side U _ATrue identity.Trusted party TC is according to the user side U that has preserved _AIdentity information＜X _A, Q _A, ID _A, the checking equation

Correctness, if then proved user side U by checking _ABe the rogue activity promoter.Therefore, under the anonymity prerequisite when having guaranteed User Activity, scheme can prevent that the user from carrying out rogue activity.

7) dereferenced

Because authentication two parties end U _A, user side U _BThe random number k of at every turn choosing _UThe difference of (U=A or B), the user authenticates used disposable PKI＜W _U, V _U, K _UAlso different, the independence that this has not only guaranteed the disposable PKI that the user uses has guaranteed that also the user carries out the dereferenced between the different activities.

Four, invention performance evaluation

The present invention proposes a plan at 3 safe Hash function: H of initial phase definition ₁: { 0,1} ^*→ G ₁,

Point multiplication operation is arranged 13 times, calculate g=sP, the Y during the generating portion key respectively at the system's PKI at initial phase _A=z _AP, X ₁=x _AP, d _A=x _A+ sQ _A, generate U _ADisposable PKI＜W _A, V _A, K _A, sign close stage R=rP, p _A=r/ (z _A+ d _A), t=ky _AW _B, separate and sign close stage t'=ly _BW _AAnd R'=p _A(X _A+ gH ₁(ID _A, X _A)); Checking user U _ADisposable PKI $\hat{e}(V_A,P)\·\hat{e}(K_A,g)=\hat{e}(W_A,P)$ Equation during with its identity legitimacy of check $\hat{e}(K_A,X_A)=\hat{e}(V_A,Q_{A}P)$ During checking, have 5 bilinearitys to computing.In addition, no index computing in the invention.

Fig. 8 is for mentioning the performance comparison of the building method described in document 2 " a kind of structure based on the disposable PKI of identity ", document 4 the anonymous authentication scheme of disposable PKI " in the general environment based on ", the document 5 " a kind of new disposable public key cryptosyst " in building method scheme in this paper and the background technology.Hash among Fig. 8 represents the Hash computing,

Represent bilinearity to computing, EXP represents exponent arithmetic, MUL representative point multiplication, and the ordinate among Fig. 8 represents the number of times of various computings.By relatively finding that computing of the present invention does not need exponent arithmetic, under the prerequisite of having guaranteed fail safe, the present invention is all comparatively desirable aspect operation efficiency and communication overhead simultaneously.

Close research is almost blank about the anonymous label of disposable PKI in existing research, and the present invention will sign close thought and the anonymous scheme of disposable PKI combines, and has proposed the close scheme of the anonymous label of a kind of new disposable PKI, and has proved its fail safe.The present invention has anonymity and traceability, and the while can effectively prevent the disposable attack of malicious user and attack from the non-trust of internal system trusted party TC that algorithm does not need exponent arithmetic, and operation efficiency and communication overhead are all comparatively desirable.

Claims (1)

1. the close building method of the anonymous label of disposable PKI is characterized in that, this method utilizes computer system to finish the close structure of the anonymous label of disposable PKI, and described computer system comprises user side U _A, user side U _BAnd a trusted party TC, wherein user side U _A, user side U _BIntercommunication with trusted party TC; Described computer system is set up and to user side U _A, user side U _BAnd the open system parameters of trusted party TC, this system parameters comprises: P, q, G ₁, G ₂, H ₁, H ₂, H ₃Wherein P is a point on the elliptic curve, and the equation of this elliptic curve is: y ³=x ³+ ax+b, a and b are constant; Described G ₁, G ₂Be two groups that generated by P, G ₁, G ₂Rank be prime number q, G ₁Be circled addition group, G ₂Be the circulation multiplicative group, at group G ₁, G ₂Middle discrete logarithm problem is for being difficult to resolve problem; G ₁, G ₂Exist relation as follows:

$\hat{e}:G_1\×G_1\→G_2,$ In the formula,

For bilinearity to the mapping;

Described H ₁, H ₂And H ₃Be the secure Hash function, be expressed as follows: H ₁: { 0,1} ^*→ G ₁, $H_2:{\left\{\mathrm{0,1}\right\}}^{*}\×G_1\→Z_q^{*},$ $H_3:{\left\{\mathrm{0,1}\right\}}^{*}\→Z_q^{*};$

This method specifically may further comprise the steps:

Step 1 generates the computer system PKI:

Trusted party TC picked at random P ∈ G ₁,

And calculate g=sP, wherein g be system's PKI and by trusted party TC to user side U _A, user side U _BOpen; S is system's master key and preserves by trusted party TC is secret;

Step 2 generates the User Part key:

1) note user side U _AIdentity is ID _A, note user side U _BIdentity is ID _B, user side U _APicked at random

Calculate Y _A=z _AP, and with identity ID _AAnd Y _ASend to trusted party TC; User side U _BSelect at random

Calculate Y _B=z _BP, and with identity ID _BAnd Y _BSend to trusted party TC;

2) utilize the mode of zero-knowledge proof to user side U at trusted party TC _AIdentity ID _AAnd Y _AAfter row is confirmed, trusted party TC picked at random

Carry out X successively ₁=x _AP, X _A=X ₁+ Y _A, Q _A=H ₁(ID _A, X _A), d _A=x _A+ sQ _A, obtain user side U _APart key d _A, and with d _A, X _ASend to user side U _A

Similarly, trusted party TC utilizes the mode of zero-knowledge proof to user side U _BIdentity ID _BAnd Y _BAfter confirming, trusted party TC picked at random

Carry out X successively ₂=x _BP, X _B=X ₂+ Y _B, Q _B=H ₁(ID _B, X _B), d _B=x _B+ sQ _B, obtain user side U _BPart key d _B, and with d _B, X _BSend to user side U _B

Step 3 generates user key:

User side U _ACalculate y _A=z _A+ d _A, judge equation X ₁+ gH ₁(ID _A, X _A)=d _AThe part key whether P becomes Rob Roy checking trusted party TC to generate; If X ₁+ gH ₁(ID _A, X _A)=d _AThe P equation is set up, then with y _AAs user side U _AKey; Otherwise return step 2;

User side U _BCalculate y _B=z _B+ d _B, judge equation X ₂+ gH ₁(ID _B, X _B)=d _BP verifies the part key that trusted party TC generates; If equation X ₂+ gH ₁(ID _B, X _B)=d _BP sets up, then with y _BAs user side U _BKey; Otherwise return step 2;

Step 4 generates disposable PKI:

User side U _APicked at random Calculate W _A=ky _AP, V _A=kX _A, K _A=kPQ _A, obtain user side U _ADisposable PKI＜W _A, V _A, K _A;

User side U _BPicked at random

Calculate W _B=ly _BP, V _B=lX _B, K _B=lPQ _B, obtain user side U _BDisposable PKI＜W _B, V _B, K _B;

Step 5, disposable PKI and user identity legitimate verification:

User side U _BThe checking equation: $\hat{e}(V_A,P)\·\hat{e}(K_A,g)=\hat{e}(W_A,P)$ And equation $\hat{e}(K_A,X_A)=\hat{e}(V_A,Q_{A}P)$ Whether set up, if two equatioies are all set up, then show user side U _APKI and identity legal, otherwise return step 2;

User side U _AThe checking equation $\hat{e}(V_B,P)\·\hat{e}(K_B,g)=\hat{e}(W_B,P)$ And equation $\hat{e}(K_B,X_B)=\hat{e}(V_B,Q_{B}P)$ Whether set up, if two equatioies are all set up, then show user side U _BPKI and identity legal, otherwise return step 2;

Step 6, sign close:

User side U _AMessage m is signed the close user side U that sends to _B, detailed process is as follows:

1) user side U _APicked at random

Calculate R=rP;

2) user side U _ACalculate h=H ₂(R, ID _A, m) and p _A=r/ (z _A+ d _A), wherein,＜h, p _AIt is the signature to message m;

3) user side U _ACalculate t=ky _AW _BWith

Wherein, c is the encryption to message; To sign dense civilian σ=＜h, p _A, c〉and send to user side U _B

Step 7, it is close to separate label:

User side U _BReceive user side U _AAfter the ciphertext that sends, separate and sign close operation, detailed process is as follows:

1) user side U _BCalculate t'=ly _BW _A, recover message

2) user side U _BCalculate R'=p _A(X _A+ gH ₁(ID _A, Y _A)), h'=H ₂(R', ID _A, m);

3) user side U _BJudge, if h'=h sets up, the signature verification success is described, user side U _BReceive message, otherwise rejection message.

Images