[go: up one dir, main page]

CN116318726A - A condition traceable ring signature method, system, electronic device and storage medium - Google Patents

A condition traceable ring signature method, system, electronic device and storage medium Download PDF

Info

Publication number
CN116318726A
CN116318726A CN202310257980.2A CN202310257980A CN116318726A CN 116318726 A CN116318726 A CN 116318726A CN 202310257980 A CN202310257980 A CN 202310257980A CN 116318726 A CN116318726 A CN 116318726A
Authority
CN
China
Prior art keywords
signature
ring signature
key
ring
anonymous
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310257980.2A
Other languages
Chinese (zh)
Inventor
张鹏
梁文涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen University
Original Assignee
Shenzhen University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen University filed Critical Shenzhen University
Priority to CN202310257980.2A priority Critical patent/CN116318726A/en
Publication of CN116318726A publication Critical patent/CN116318726A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a condition traceable ring signature method, a system, an electronic device and a storage medium, wherein the method comprises the following steps: setting system parameters; generating a key for the user and the anonymous revocation authority according to the digital signature algorithm and the system parameters; generating a ring signature according to the secret key; verifying the ring signature, outputting a first preset result if the verification is passed, and outputting a second preset result if the verification is not passed; performing ring signature link, and judging whether to add the ring signature into a signature list through the ring signature link; if the ring signature appears in the signature list, the anonymous revocation authority wants to recover the signature public key through the private key, and the private key of the anonymous revocation authority is substituted into the pre-mixed public key set to trace the public key of the actual signer; the signature list function is added in the ring signature algorithm, so that the anonymous revocation authority can only revoke the anonymity of the ring signature in the signature list, thereby achieving the effect of reducing the authority of the anonymous revocation authority and realizing the partial traceability of the ring signature.

Description

一种条件可追踪环签名方法、系统、电子装置和存储介质A condition traceable ring signature method, system, electronic device and storage medium

技术领域technical field

本发明涉及数字签名领域,尤其涉及一种条件可追踪环签名方法、系统、电子装置和存储介质。The invention relates to the field of digital signatures, in particular to a condition traceable ring signature method, system, electronic device and storage medium.

背景技术Background technique

在数字签名中,有一种基于身份的环签名方案,是通过私钥生成器(Private KeyGenerator,PKG)分发私钥,其可以同时实现环签名的可链接性与可追踪性,但是若PKG被敌手攻陷,用户的签名私钥就会被泄露,这样存在一定的安全隐患。另外,传统可追踪环签名中的匿名撤销机构权限过高,理论上可以撤销所有可追踪环签名的匿名性,而在实际应用中只想找出恶意签名者,如果攻击者与匿名撤销机构共谋的话,对诚实签名者来说是不安全的。In digital signatures, there is an identity-based ring signature scheme, which distributes private keys through a private key generator (PKG), which can simultaneously realize the linkability and traceability of ring signatures. If compromised, the user's signature private key will be leaked, which poses certain security risks. In addition, the authority of the anonymous revocation authority in the traditional traceable ring signature is too high. In theory, the anonymity of all traceable ring signatures can be revoked, but in practical applications, only malicious signers are found. Without conspiracy, it is not safe for honest signers.

因此亟需一种方案,能够实现环签名的部分可追踪性。Therefore, there is an urgent need for a solution that can achieve partial traceability of ring signatures.

发明内容Contents of the invention

本发明的主要目的在于提供一种条件可追踪环签名方法、系统、电子装置和存储介质,能够实现环签名的部分可追踪性。The main purpose of the present invention is to provide a conditionally traceable ring signature method, system, electronic device and storage medium, which can realize partial traceability of the ring signature.

为实现上述目的,本发明第一方面提供一种条件可追踪环签名方法,包括:设置系统参数;根据预设的数字签名算法和所述系统参数为用户和匿名撤销机构生成密钥;根据所述密钥生成环签名;对所述环签名进行验证,若验证通过,则输出第一预定结果,若验证不通过,则输出第二预定结果;对验证通过的所述环签名进行环签名链接,通过环签名链接判断是否将环签名加入签名列表中;若所述环签名出现在所述签名列表中,则所述匿名撤销机构通过私钥想要恢复出签名公钥,则将所述匿名撤销机构的私钥代入预先混合的公钥集合,追踪到实际签名者的公钥;所述对验证通过的所述环签名进行环签名链接包括:获取验证通过的环签名σ中的密钥镜像I,判断所述密钥镜像I是否在镜像列表Ω中出现过,若出现过,且所述环签名σ中的消息M与所述镜像列表Ω中已存在签名σ′的消息M′不相等,则输出1,并删除签名列表θ中的σ,若M等于M′,则拒绝该环签名σ;若没出现过则输出0,则接受此环签名σ,并将环签名σ添加到签名列表θ中。In order to achieve the above object, the first aspect of the present invention provides a conditionally traceable ring signature method, including: setting system parameters; generating keys for users and anonymous revocation authorities according to the preset digital signature algorithm and the system parameters; The key generates a ring signature; the ring signature is verified, and if the verification is passed, the first predetermined result is output, and if the verification fails, the second predetermined result is output; the ring signature is linked to the verified ring signature , judge whether to add the ring signature to the signature list through the ring signature link; if the ring signature appears in the signature list, then the anonymous revocation mechanism wants to recover the signature public key through the private key, then the anonymous Substituting the private key of the revocation authority into the pre-mixed public key set to track the public key of the actual signer; the ring signature linking of the verified ring signature includes: obtaining the key image in the verified ring signature σ I, determine whether the key image I has appeared in the mirror list Ω, if it has, and the message M in the ring signature σ is not equal to the message M' of the signature σ' in the mirror list Ω , then output 1, and delete the σ in the signature list θ, if M is equal to M′, reject the ring signature σ; if it does not appear, output 0, then accept the ring signature σ, and add the ring signature σ to the signature in the list θ.

进一步地,所述设置系统参数包括:输入安全参数lq,选择两个相同素数阶q的循环群G1和GT,g为G1的生成元,e表示双线性映射G1×G1→GT,Hs表示{0,1}*→Zq的哈希函数,其中Zq为有限域,Hp表示G1→G1的确定性哈希函数,输出公共参数param=(lq,q,g,G1,GT,Hs,Hp)。Further, the setting of system parameters includes: inputting a security parameter l q , selecting two cyclic groups G 1 and G T of the same prime order q, g is a generator of G 1 , and e represents a bilinear map G 1 ×G 1 → G T , H s represents the hash function of {0, 1} * → Z q , where Z q is a finite field, H p represents the deterministic hash function of G 1 → G 1 , and the output public parameter param=( l q , q, g, G 1 , G T , H s , H p ).

进一步地,所述用户的私钥由随机数di∈Zq构成,公钥为Pi=dig;所述匿名撤销机构的私钥为d′u∈Zq,公钥为P′u=d′ug。Further, the user's private key is composed of a random number d i ∈ Z q , and the public key is P i =d i g; the private key of the anonymous revocation mechanism is d' u ∈ Z q , and the public key is P' u = d' u g.

进一步地,所述根据所述密钥生成环签名的方法包括:Further, the method for generating a ring signature according to the key includes:

随机选择n-1个用户的公钥,与n-1个用户的签名公钥进行混合得到集合S={P1,P2,...,Pn},设置签名公钥为Pπ,私钥为dπ,签名者选择的匿名撤销机构的个数为l,其公钥集合用T表示,T={P′1,P′2,...,P′l};Randomly select the public keys of n-1 users and mix them with the signature public keys of n-1 users to obtain a set S={P 1 , P 2 ,...,P n }, set the signature public key to P π , The private key is d π , the number of anonymous revocation organizations selected by the signer is l, and its public key set is denoted by T, T={P′ 1 , P′ 2 ,...,P′ l };

计算dπ的密钥镜像I,I=dπHp(Pπ);Calculate the key image I of d π , I=d π H p (P π );

在有限域Zq中选择{qi|i=1,...,n,i≠π}和{wi|i=1,...,n,i≠π},计算Li=qig+wiPi(i≠π)和Ri=qiHp(Pi)+wiI(i≠π),并在有限域Zq中选择随机数qπ,计算Lπ=qπg和Rπ=qπHp(Pπ);Choose {q i |i=1,...,n, i≠π} and {w i |i=1,...,n, i≠π} in the finite field Z q , calculate L i =q i g+w i P i (i≠π) and R i =q i H p (P i )+w i I(i≠π), and choose a random number q π in the finite field Z q to calculate L π =q π g and R π =q π H p (P π );

在有限域zq中选择随机数rrevoke,计算Rrevoke=trevokeg;Select a random number r revoke in the finite field z q , calculate R revoke =t revoke g;

选择u=1,...,l,计算

Figure BDA0004130281140000021
select u=1,...,l, compute
Figure BDA0004130281140000021

计算c=Hs(M,L1,...,Ln,R1,...,Rn),ci=wi(i≠π),

Figure BDA0004130281140000022
ri=qi(i≠π),ri=qπ-cπdπmod q(i=π);Calculate c = H s (M, L 1 , ..., L n , R 1 , ..., R n ), c i = w i (i≠π),
Figure BDA0004130281140000022
r i =q i (i≠π), r i =q π -c π d π mod q(i=π);

在有限域Zq中选择随机数p1,p2,si,c′i,=计算

Figure BDA0004130281140000023
Figure BDA0004130281140000031
s=p1-c′dπ
Figure BDA0004130281140000032
sπ=p2-c′πdπmod q;Select random numbers p 1 , p 2 , s i , c′ i in the finite field Z q , = compute
Figure BDA0004130281140000023
Figure BDA0004130281140000031
s=p 1 -c'd π ,
Figure BDA0004130281140000032
s π = p 2 -c′ π d π mod q;

生成环签名σ;Generate a ring signature σ;

其中,σ=(I,c1,...,cn,r1,...,rn,c′1,...,c′n,s,s1,...sn,Rrevoke,E1,...,El)。Among them, σ=(I, c 1 , ..., c n , r 1 , ..., r n , c′ 1 , ..., c′ n , s, s 1 , ... s n , R revoke , E 1 , . . . , E l ).

进一步地,所述对所述环签名进行验证包括:Further, the verifying the ring signature includes:

对于i=1...n,计算L′i=rig+ciPi,R′i=riHp(Pi)+ciI;For i=1...n, calculate L' i =r i g+ ci P i , R' i =r i H p (P i )+ci I ;

计算w1=Hs(M|L′0,...,L′n||R′0,...,R′n)mod q,Calculate w 1 =H s (M|L' 0 ,...,L' n ||R' 0 ,...,R' n ) mod q,

Figure BDA0004130281140000033
Figure BDA0004130281140000033

Figure BDA0004130281140000034
且/>
Figure BDA0004130281140000035
成立,则输出第一预定结果1,验证通过;否则输出第二预定结果0,验证失败。like
Figure BDA0004130281140000034
and/>
Figure BDA0004130281140000035
If it is established, the first predetermined result 1 is output, and the verification passes; otherwise, the second predetermined result 0 is output, and the verification fails.

进一步地,所述将所述匿名撤销机构的私钥代入预先混合的公钥集合,追踪到实际签名者的公钥包括:将匿名撤销机构的私钥d′u,依次代入集合S中的公钥,对于i=1,...,n,计算

Figure BDA0004130281140000036
是否成立,找出使等式成立的公钥Pπ,公钥Pπ为实际签名者的公钥。Further, the substituting the private key of the anonymous revocation authority into the pre-mixed public key set, and tracing the public key of the actual signer includes: substituting the private key d' u of the anonymous revocation authority into the public keys in the set S in turn. key, for i=1,...,n, compute
Figure BDA0004130281140000036
Whether it is true or not, find out the public key P π that makes the equation true, and the public key P π is the public key of the actual signer.

本发明第二方面提供一种条件可追踪环签名系统,包括:参数设置模块,用于设置系统参数;密钥生成模块,用于根据预设的数字签名算法和所述系统参数为用户和匿名撤销机构生成密钥;环签名生成模块,用于根据所述密钥生成环签名;环签名验证模块,用于对所述环签名进行验证,若验证通过,则输出第一预定结果,若验证不通过,则输出第二预定结果;环签名链接模块,用于对验证通过的所述环签名进行环签名链接,通过环签名链接判断是否将环签名加入签名列表中;追踪模块,用于若所述环签名链接模块判断出环签名出现在所述签名列表中时,若所述匿名撤销机构通过私钥想要恢复出签名公钥,则将所述匿名撤销机构的私钥代入预先混合的公钥集合,追踪到实际签名者的公钥;环签名链接模块包括:判断单元和执行单元;判断单元用于获取验证通过的环签名σ中的密钥镜像I,判断所述密钥镜像I是否在镜像列表Ω中出现过;执行单元用于在所述判断单元判断若出现过,且所述环签名σ中的消息M与所述镜像列表Ω中已存在签名σ′的消息M′不相等,则输出1,并删除签名列表θ中的σ,若M等于M′,则拒绝该环签名σ;若没出现过则输出0,则接受此环签名σ,并将环签名σ添加到签名列表θ中。The second aspect of the present invention provides a conditionally traceable ring signature system, including: a parameter setting module, used to set system parameters; The revocation mechanism generates a key; the ring signature generation module is used to generate a ring signature according to the key; the ring signature verification module is used to verify the ring signature, if the verification is passed, then output the first predetermined result, if the verification If it fails, then output the second predetermined result; the ring signature linking module is used to perform ring signature linking on the ring signature verified through the ring signature link, and judge whether to add the ring signature to the signature list through the ring signature link; the tracking module is used if When the ring signature linking module determines that the ring signature appears in the signature list, if the anonymous revocation mechanism wants to recover the signature public key through the private key, then substitute the private key of the anonymous revocation mechanism into the pre-mixed The public key set traces the public key of the actual signer; the ring signature link module includes: a judging unit and an execution unit; the judging unit is used to obtain the key image I in the ring signature σ that has passed the verification, and judge the key image I Whether it has appeared in the mirror list Ω; the execution unit is used to judge in the judging unit if it has appeared, and the message M in the ring signature σ is not the same as the message M' with the signature σ' in the mirror list Ω If they are equal, output 1, and delete σ in the signature list θ, if M is equal to M′, reject the ring signature σ; if not, output 0, then accept the ring signature σ, and add the ring signature σ to in the signature list θ.

本发明第三方面提供一种电子装置,包括:存储器、处理器,所述存储器上存储有可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时,实现上述中的任意一项所述条件可追踪环签名方法。The third aspect of the present invention provides an electronic device, including: a memory and a processor, the memory stores a computer program that can run on the processor, and when the processor executes the computer program, the above-mentioned The conditions described in any one of the traceable ring signature methods.

本发明第四方面提供一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时,实现上述中的任意一项所述条件可追踪环签名方法。The fourth aspect of the present invention provides a computer-readable storage medium on which a computer program is stored, wherein, when the computer program is executed by a processor, the conditionally traceable ring signature method described in any one of the above is implemented .

本发明提供一种条件可追踪环签名方法、系统、电子装置和存储介质,有益效果在于:在可链接环签名算法中加入签名列表功能,若交易双方都是诚实的,则签名列表为空。若有不诚实的交易方,则他的签名就会被保留在签名列表中,这样使匿名撤销机构只能撤销签名列表中环签名的匿名性,从而达到减低匿名撤销机构权限的效果,实现环签名的部分可追踪性。The present invention provides a conditionally traceable ring signature method, system, electronic device and storage medium. The beneficial effect is that: a signature list function is added to the linkable ring signature algorithm. If both transaction parties are honest, the signature list is empty. If there is a dishonest transaction party, his signature will be kept in the signature list, so that the anonymous revocation authority can only revoke the anonymity of the ring signature in the signature list, thereby reducing the authority of the anonymous revocation authority and realizing the ring signature part of the traceability.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings without creative work.

图1为本发明实施例条件可追踪环签名方法的流程图;FIG. 1 is a flow chart of a conditionally traceable ring signature method according to an embodiment of the present invention;

图2为本发明实施例条件可追踪环签名系统的框架图;Fig. 2 is a frame diagram of a conditionally traceable ring signature system according to an embodiment of the present invention;

图3为本发明实施例电子装置的结构示意框图。FIG. 3 is a schematic block diagram of the structure of an electronic device according to an embodiment of the present invention.

具体实施方式Detailed ways

为使得本发明的发明目的、特征、优点能够更加的明显和易懂,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而非全部实施例。基于本发明中的实施例,本领域技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described The embodiments are only some of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without making creative efforts belong to the protection scope of the present invention.

请参阅图1,为一种条件可追踪环签名方法,包括:Please refer to Figure 1 for a conditionally traceable ring signature method, including:

S101、设置系统参数;S101, setting system parameters;

S102、根据预设的数字签名算法和系统参数为用户和匿名撤销机构生成密钥;S102. Generate a key for the user and the anonymous revocation authority according to the preset digital signature algorithm and system parameters;

S103、根据密钥生成环签名;S103. Generate a ring signature according to the key;

S104、对环签名进行验证,若验证通过,则输出第一预定结果,若验证不通过,则输出第二预定结果;S104. Verify the ring signature, if the verification is passed, output a first predetermined result, and if the verification fails, output a second predetermined result;

S105、对验证通过的环签名进行环签名链接,通过环签名链接判断是否将环签名加入签名列表中;S105. Perform a ring signature link on the verified ring signature, and determine whether to add the ring signature to the signature list through the ring signature link;

S106、若环签名出现在签名列表中,则匿名撤销机构通过私钥想要恢复出签名公钥,则将匿名撤销机构的私钥代入预先混合的公钥集合,追踪到实际签名者的公钥;S106. If the ring signature appears in the signature list, the anonymous revocation authority wants to recover the signature public key through the private key, then substitute the private key of the anonymous revocation authority into the pre-mixed public key set, and trace the public key of the actual signer ;

在本实施例中,包含3种角色:匿名撤销机构、签名者、验证者,他们分别担任不同的职责。匿名撤销机构作为交易中的监管方,签名者为交易发送方,验证者为区块链的验证节点。本申请实施例提出了条件可追踪环签名包括系统参数设置、密钥生成、环签名生成、环签名验证、环签名链接、匿名撤销六个算法。In this embodiment, there are three roles: an anonymous revocation authority, a signer, and a verifier, each of which assumes different responsibilities. The anonymous revocation agency acts as the supervisor in the transaction, the signer is the transaction sender, and the verifier is the verification node of the blockchain. The embodiment of this application proposes six algorithms for conditionally traceable ring signatures including system parameter setting, key generation, ring signature generation, ring signature verification, ring signature chaining, and anonymous revocation.

其中,在步骤S101中,设置系统参数包括:输入安全参数lq,选择两个相同素数阶q的循环群G1和GT,g为G1的生成元,表示双线性映射G1×1→GT,Hs表示{0,1}*→Zq的哈希函数,其中Zq为有限域,Hp表示G1→G1的确定性哈希函数,输出公共参数param=(lq,q,g,G1,GT,Hs,Hp)。Among them, in step S101, setting the system parameters includes: inputting the security parameter l q , selecting two cyclic groups G 1 and G T of the same prime number order q, g is the generator of G 1 , and represents the bilinear map G 1 × 1 → G T , H s represents the hash function of {0, 1} * → Z q , where Z q is a finite field, H p represents the deterministic hash function of G 1 → G 1 , and the output public parameter param=( l q , q, g, G 1 , G T , H s , H p ).

在步骤S102中,用户的私钥由随机数di∈Zq构成,公钥为Pi=dig;In step S102, the user's private key is composed of random numbers d i ∈ Z q , and the public key is P i =d i g;

匿名撤销机构的私钥为d′u∈Zq,公钥为P′u=d′ug。The private key of the anonymous revocation authority is d′ u ∈ Z q , and the public key is P′ u =d′ u g.

在步骤S103中,根据密钥生成环签名的方法包括:In step S103, the method for generating a ring signature according to the key includes:

随机选择n-1个用户的公钥,与n-1个用户的签名公钥进行混合得到集合S={P1,P2,...,Pn},设置签名公钥为Pπ,私钥为dπ,签名者选择的匿名撤销机构的个数为l,其公钥集合用T表示,T={P′1,P′2,...,P′l};Randomly select the public keys of n-1 users and mix them with the signature public keys of n-1 users to obtain a set S={P 1 , P 2 ,...,P n }, set the signature public key to P π , The private key is d π , the number of anonymous revocation organizations selected by the signer is l, and its public key set is denoted by T, T={P′ 1 , P′ 2 ,...,P′ l };

计算dπ的密钥镜像I,I=dπHp(Pπ);Calculate the key image I of d π , I=d π H p (P π );

在有限域Zq中选择{qi|i=1,...,n,i≠π}和{wi|i=1,...,n,i≠π},计算Li=qig+wiPi(i≠π)和Ri=qiHp(Pi)+wiI(i≠π),并在有限域Zq中选择随机数qπ,计算Lπ=qπg和Rπ=qπHp(Pπ);Choose {q i |i=1,...,n, i≠π} and {w i |i=1,...,n, i≠π} in the finite field Z q , calculate L i =q i g+w i P i (i≠π) and R i =q i H p (P i )+w i I(i≠π), and choose a random number q π in the finite field Z q to calculate L π =q π g and R π =q π H p (P π );

在有限域Zq中选择随机数rrevoke,计算Rrevoke=rrevokeg;Select a random number r revoke in the finite field Z q , calculate R revoke = r revoke g;

选择u=1,...,l,计算

Figure BDA0004130281140000061
select u=1,...,l, compute
Figure BDA0004130281140000061

计算c=Hs(M,L1,...,Ln,R1,...,Rn),ci=wi(i≠π),

Figure BDA0004130281140000062
ri=qi(i≠π),ri=qπ-cπdπ mod q(i=π);Calculate c = H s (M, L 1 , ..., L n , R 1 , ..., R n ), c i = w i (i≠π),
Figure BDA0004130281140000062
r i =q i (i≠π), r i =q π -c π d π mod q(i=π);

在有限域Zq中选择随机数p1,p2,si,c′i,=计算

Figure BDA0004130281140000063
s=p1-c′dπ
Figure BDA0004130281140000064
sπ=p2-c′πdπmod q;Select random numbers p 1 , p 2 , s i , c′ i in the finite field Z q , = compute
Figure BDA0004130281140000063
s=p 1 -c'd π ,
Figure BDA0004130281140000064
s π = p 2 -c′ π d π mod q;

生成环签名σ;Generate a ring signature σ;

其中,σ=(I,c1,...,cn,r1,...,rn,c′1,...,c′n,s,s1,...sn,Rrevoke,E1,...,El)。Among them, σ=(I, c 1 , ..., c n , r 1 , ..., r n , c′ 1 , ..., c′ n , s, s 1 , ... s n , R revoke , E 1 , . . . , E l ).

在步骤S104中,对环签名进行验证包括:In step S104, verifying the ring signature includes:

对于i=1...n,计算L′i=rig+ciPi,R′i=riHp(Pi)+ciI;For i=1...n, calculate L' i =r i g+ ci P i , R' i =r i H p (P i )+ci I ;

计算w1=Hs(M|L′0,...,L′n||R′0,...,R′n)mod q,Calculate w 1 =H s (M|L' 0 ,...,L' n ||R' 0 ,...,R' n ) mod q,

Figure BDA0004130281140000071
Figure BDA0004130281140000071

Figure BDA0004130281140000072
且/>
Figure BDA0004130281140000073
成立,则输出第一预定结果1,验证通过;否则输出第二预定结果0,验证失败。like
Figure BDA0004130281140000072
and/>
Figure BDA0004130281140000073
If it is established, the first predetermined result 1 is output, and the verification passes; otherwise, the second predetermined result 0 is output, and the verification fails.

在步骤S105中,对验证通过的环签名进行环签名链接包括:获取验证通过的环签名σ中的密钥镜像I,判断密钥镜像I是否在镜像列表Ω中出现过,若出现过,且环签名σ中的消息M与镜像列表Ω中已存在签名σ′的消息M′不相等,则输出1,并删除签名列表θ中的σ,若M等于M′,则拒绝该环签名σ;若没出现过则输出0,则接受此环签名σ,并将环签名σ添加到签名列表θ中。In step S105, linking the ring signatures to the verified ring signature includes: obtaining the key image I in the verified ring signature σ, and judging whether the key image I has appeared in the image list Ω, and if so, and If the message M in the ring signature σ is not equal to the message M' of the existing signature σ' in the mirror list Ω, then output 1, and delete the σ in the signature list θ, if M is equal to M', reject the ring signature σ; If it does not appear, output 0, accept the ring signature σ, and add the ring signature σ to the signature list θ.

若环签名出现在签名列表中,则出现匿名撤销情况,若环签名未出现在签名列表中,则出现交易双方为诚实的情况。If the ring signature appears in the signature list, there will be an anonymous revocation. If the ring signature does not appear in the signature list, then the two parties to the transaction will be honest.

在步骤S105中,是验证者获取验证通过的环签名σ中的密钥镜像I。In step S105, the verifier obtains the key image I in the ring signature σ that has passed the verification.

在步骤S106中,将匿名撤销机构的私钥代入预先混合的公钥集合,追踪到实际签名者的公钥包括:将匿名撤销机构的私钥d′u,依次代入集合S中的公钥,对于i=1,...,n,计算

Figure BDA0004130281140000074
是否成立,找出使等式成立的公钥Pπ,公钥Pπ为实际签名者的公钥。In step S106, substituting the private key of the anonymous revocation authority into the pre-mixed public key set, and tracing the public key of the actual signer includes: substituting the private key d′ u of the anonymous revocation authority into the public keys in the set S in sequence, For i=1,...,n, compute
Figure BDA0004130281140000074
Whether it is true or not, find out the public key P π that makes the equation true, and the public key P π is the public key of the actual signer.

因此本申请实施例提供的条件可追踪环签名方法,为了实现环签名的部分可追踪性,本发明在可链接环签名算法中加入签名列表功能,若交易双方都是诚实的,则签名列表为空。若有不诚实的交易方,则他的签名就会被保留在签名列表中,这样使匿名撤销机构只能撤销签名列表中环签名的匿名性,从而达到减低匿名撤销机构权限的效果,实现环签名的部分可追踪性。Therefore, in the conditionally traceable ring signature method provided by the embodiment of this application, in order to realize the partial traceability of the ring signature, the present invention adds a signature list function to the linkable ring signature algorithm. If both parties to the transaction are honest, the signature list is null. If there is a dishonest transaction party, his signature will be kept in the signature list, so that the anonymous revocation authority can only revoke the anonymity of the ring signature in the signature list, thereby reducing the authority of the anonymous revocation authority and realizing the ring signature part of the traceability.

请参阅图2,本申请实施例还提供一种条件可追踪环签名系统,包括:参数设置模块1、密钥生成模块2、环签名生成模块3、环签名验证模块4、环签名链接模块5及追踪模块6。Please refer to Figure 2, the embodiment of the present application also provides a conditionally traceable ring signature system, including: parameter setting module 1, key generation module 2, ring signature generation module 3, ring signature verification module 4, ring signature linking module 5 and tracking module6.

参数设置模块1用于设置系统参数;The parameter setting module 1 is used for setting system parameters;

密钥生成模块2用于根据预设的数字签名算法和系统参数为用户和匿名撤销机构生成密钥;The key generation module 2 is used to generate keys for users and anonymous revocation institutions according to preset digital signature algorithms and system parameters;

环签名生成模块3用于根据密钥生成环签名;The ring signature generating module 3 is used to generate a ring signature according to the key;

环签名验证模块4用于对环签名进行验证,若验证通过,则输出第一预定结果,若验证不通过,则输出第二预定结果;The ring signature verification module 4 is used to verify the ring signature, if the verification is passed, the first predetermined result is output, and if the verification fails, the second predetermined result is output;

环签名链接模块5用于对验证通过的环签名进行环签名链接,通过环签名链接判断是否将环签名加入签名列表中;The ring signature linking module 5 is used to carry out ring signature linking to the ring signatures that have passed the verification, and judge whether to add the ring signature in the signature list through the ring signature linking;

追踪模块6用于若环签名链接模块判断出环签名出现在签名列表中时,若匿名撤销机构通过私钥想要恢复出签名公钥,则将匿名撤销机构的私钥代入预先混合的公钥集合,追踪到实际签名者的公钥;The tracking module 6 is used to replace the private key of the anonymous revocation authority into the pre-mixed public key if the ring signature link module judges that the ring signature appears in the signature list, and if the anonymous revocation authority wants to recover the signature public key through the private key Collection, traced to the public key of the actual signer;

参数设置模块1具体用于输入安全参数lq,选择两个相同素数阶q的循环群G1和GT,g为G1的生成元,e表示双线性映射G1×G1→GT,Hs表示{0,1}*→Zq的哈希函数,其中Zq为有限域,Hp表示G1→G1的确定性哈希函数,输出公共参数param=(lq,q,g,G1,GT,Hs,Hp)。The parameter setting module 1 is specifically used to input the security parameter l q , select two cyclic groups G 1 and G T with the same prime order q, g is the generator of G 1 , and e represents the bilinear mapping G 1 ×G 1 →G T , H s represent the hash function of {0, 1} * → Z q , where Z q is a finite field, H p represents the deterministic hash function of G 1 → G 1 , and the output public parameter param=(l q , q, g, G 1 , G T , H s , H p ).

密钥生成模块2生成的密钥中,用户的私钥由随机数di∈Zq构成,公钥为Pi=dig;匿名撤销机构的私钥为d′u∈Zq,公钥为P′u=d′ug。Among the keys generated by the key generation module 2, the user’s private key is composed of random numbers d i ∈ Z q , and the public key is P i =d i g; the private key of the anonymous revocation mechanism is d′ u ∈ Z q , and the public key is The key is P' u = d' u g.

环签名生成模块3包括:公钥选择单元、镜像计算单元、第一计算单元、第二计算单元、第一选择单元、第三计算单元、第四计算单元、环签名生成单元The ring signature generation module 3 includes: a public key selection unit, a mirror image calculation unit, a first calculation unit, a second calculation unit, a first selection unit, a third calculation unit, a fourth calculation unit, and a ring signature generation unit

公钥选择单元用于随机选择n-1个用户的公钥,与n-1个用户的签名公钥进行混合得到集合S={P1,P2,...,Pn},设置签名公钥为Pπ,私钥为dπ,签名者选择的匿名撤销机构的个数为l,其公钥集合用T表示,T={P′1,P′2,...,P′l};The public key selection unit is used to randomly select the public keys of n-1 users, mix them with the signature public keys of n-1 users to obtain a set S={P 1 , P 2 ,...,P n }, and set the signature The public key is P π , the private key is d π , the number of anonymous revocation institutions selected by the signer is l, and the public key set is represented by T, T={P′ 1 , P′ 2 ,...,P′ l };

镜像计算单元用于计算dπ的密钥镜像I,I=dπHp(Pπ);The image calculation unit is used to calculate the key image I of d π , I=d π H p (P π );

第一计算单元用于在有限域Zq中选择{qi|i=1,...,n,i≠π}和{wi|i=1,...,n,i≠π},计算Li=qig+wiPi(i≠π)和Ri=qiHp(Pi)+wiI(i≠π),并在有限域Zq中选择随机数qπ,计算Lπ=qπg和Rπ=qπHp(Pπ);The first computational unit is used to select {q i |i=1,...,n, i≠π} and {w i |i=1,...,n, i≠π} in the finite field Z q , calculate L i =q i g+w i P i (i≠π) and R i =q i H p (P i )+w i I(i≠π), and select random numbers in the finite field Z q q π , calculate L π =q π g and R π =q π H p (P π );

第二计算单元用于在有限域Zq中选择随机数rrevoke,计算Rrevoke=rrevokeg;The second calculation unit is used to select a random number r revoke in the finite field Z q , and calculate R revoke = r revoke g;

第一选择单元用于选择u=1,...,l,计算

Figure BDA0004130281140000091
The first selection unit is used to select u=1,...,l, calculate
Figure BDA0004130281140000091

第三计算单元用于计算c=Hs(M,L1,...,Ln,R1,...,Rn),ci=wi(i≠π),

Figure BDA0004130281140000092
ri=qi(i≠π),ri=qπ-cπdπmod q(i=π);The third calculation unit is used to calculate c=H s (M, L 1 , . . . , L n , R 1 , . . . , R n ), c i =w i (i≠π),
Figure BDA0004130281140000092
r i =q i (i≠π), r i =q π -c π d π mod q(i=π);

第四计算单元用于在有限域Zq中选择随机数p1,p2,si,c′i,=计算

Figure BDA0004130281140000093
s=p1-c′dπ
Figure BDA0004130281140000094
sπ=p2-c′πdπmod q;The fourth calculation unit is used to select random numbers p 1 , p 2 , s i , c′ i in the finite field Z q , = calculate
Figure BDA0004130281140000093
s=p 1 -c'd π ,
Figure BDA0004130281140000094
s π = p 2 -c′ π d π mod q;

环签名生成单元用于生成环签名σ;The ring signature generation unit is used to generate the ring signature σ;

其中,σ=(I,c1,...,cn,r1,...,rn,c′1,...,c′n,s,s1,...sn,Rrevoke,E1,...,El)。Among them, σ=(I, c 1 , ..., c n , r 1 , ..., r n , c′ 1 , ..., c′ n , s, s 1 , ... s n , R revoke , E 1 , . . . , E l ).

环签名链接模块5包括:判断单元和执行单元;判断单元用于获取验证通过的环签名σ中的密钥镜像I,判断密钥镜像I是否在镜像列表Ω中出现过;执行单元用于在判断单元判断若出现过,且环签名σ中的消息M与镜像列表Ω中已存在签名σ′的消息M′不相等,则输出1,并删除签名列表θ中的σ,若M等于M′,则拒绝该环签名σ;若没出现过则输出0,则接受此环签名σ,并将环签名σ添加到签名列表θ中。The ring signature link module 5 includes: a judgment unit and an execution unit; the judgment unit is used to obtain the key image I in the ring signature σ that has passed the verification, and judges whether the key image I has appeared in the mirror list Ω; The judging unit judges that if it has occurred, and the message M in the ring signature σ is not equal to the message M' of the existing signature σ' in the mirror list Ω, then output 1, and delete the σ in the signature list θ, if M is equal to M' , then reject the ring signature σ; if it does not appear, output 0, then accept the ring signature σ, and add the ring signature σ to the signature list θ.

环签名验证模块4包括:第五计算单元、第六计算单元和输出单元;The ring signature verification module 4 includes: the fifth computing unit, the sixth computing unit and an output unit;

第五计算单元用于对于i=1...n,计算L′i=rig+ciPi,R′i=riHp(Pi)+ciI;The fifth calculation unit is used for i=1...n, calculate L' i =r i g+ci P i , R' i =r i H p (P i )+ci I ;

第六计算单元用于计算w1=Hs(M|L′0,...,L′n||R′0,...,R′n)mod q,The sixth calculation unit is used to calculate w 1 =H s (M|L′ 0 , . . . , L′ n ||R′ 0 , . . . , R′ n ) mod q,

Figure BDA0004130281140000095
Figure BDA0004130281140000101
Figure BDA0004130281140000095
Figure BDA0004130281140000101

输出单元用于若

Figure BDA0004130281140000102
且/>
Figure BDA0004130281140000103
成立,则输出第一预定结果1,验证通过;否则输出第二预定结果0,验证失败。The output unit is used if
Figure BDA0004130281140000102
and/>
Figure BDA0004130281140000103
If it is established, the first predetermined result 1 is output, and the verification passes; otherwise, the second predetermined result 0 is output, and the verification fails.

追踪模块6具体用于将匿名撤销机构的私钥d′u,依次代入集合S中的公钥,对于i=1,...,n,计算

Figure BDA0004130281140000104
是否成立,找出使等式成立的公钥Pπ,公钥Pπ为实际签名者的公钥。The tracking module 6 is specifically used to substitute the private key d' u of the anonymous revocation authority into the public keys in the set S in turn, and for i=1,...,n, calculate
Figure BDA0004130281140000104
Whether it is true or not, find out the public key P π that makes the equation true, and the public key P π is the public key of the actual signer.

因此本申请实施例提供的条件可追踪环签名系统,为了实现环签名的部分可追踪性,本发明在可链接环签名算法中加入签名列表功能,若交易双方都是诚实的,则签名列表为空。若有不诚实的交易方,则他的签名就会被保留在签名列表中,这样使匿名撤销机构只能撤销签名列表中环签名的匿名性,从而达到减低匿名撤销机构权限的效果,实现环签名的部分可追踪性。Therefore, in the conditionally traceable ring signature system provided by the embodiment of this application, in order to realize the partial traceability of the ring signature, the present invention adds a signature list function to the linkable ring signature algorithm. If both parties to the transaction are honest, the signature list is null. If there is a dishonest transaction party, his signature will be kept in the signature list, so that the anonymous revocation authority can only revoke the anonymity of the ring signature in the signature list, thereby reducing the authority of the anonymous revocation authority and realizing the ring signature part of the traceability.

本申请实施例提供一种电子装置,请参阅图3,该电子装置包括:存储器601、处理器602及存储在存储器601上并可在处理器602上运行的计算机程序,处理器602执行该计算机程序时,实现前述中描述的条件可追踪环签名方法。An embodiment of the present application provides an electronic device, please refer to FIG. 3 , the electronic device includes: a memory 601, a processor 602, and a computer program stored in the memory 601 and operable on the processor 602, and the processor 602 executes the computer program. The program implements the conditionally traceable ring signature method described in the foregoing.

进一步的,该电子装置还包括:至少一个输入设备603以及至少一个输出设备604。Further, the electronic device further includes: at least one input device 603 and at least one output device 604 .

上述存储器601、处理器602、输入设备603以及输出设备604,通过总线605连接。The above-mentioned memory 601 , processor 602 , input device 603 and output device 604 are connected through a bus 605 .

其中,输入设备603具体可为摄像头、触控面板、物理按键或者鼠标等等。输出设备604具体可为显示屏。Wherein, the input device 603 may specifically be a camera, a touch panel, a physical button or a mouse, and the like. The output device 604 may specifically be a display screen.

存储器601可以是高速随机存取记忆体(RAM,Random Access Memory)存储器,也可为非不稳定的存储器(non-volatile memory),例如磁盘存储器。存储器601用于存储一组可执行程序代码,处理器602与存储器601耦合。The memory 601 may be a high-speed random access memory (RAM, Random Access Memory) memory, or a non-volatile memory (non-volatile memory), such as a disk memory. The memory 601 is used to store a set of executable program codes, and the processor 602 is coupled to the memory 601 .

进一步的,本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质可以是设置于上述各实施例中的电子装置中,该计算机可读存储介质可以是前述中的存储器601。该计算机可读存储介质上存储有计算机程序,该程序被处理器602执行时实现前述实施例中描述的条件可追踪环签名方法。Further, the embodiment of the present application also provides a computer-readable storage medium, which can be set in the electronic device in each of the above-mentioned embodiments, and the computer-readable storage medium can be the aforementioned memory 601. A computer program is stored on the computer-readable storage medium, and when the program is executed by the processor 602, the conditionally traceable ring signature method described in the foregoing embodiments is implemented.

进一步的,该计算机可存储介质还可以是U盘、移动硬盘、只读存储器601(ROM,Read-Only Memory)、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Further, the computer storage medium may also be various media capable of storing program codes such as a U disk, a mobile hard disk, a read-only memory 601 (ROM, Read-Only Memory), RAM, a magnetic disk or an optical disk.

在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个模块或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或模块的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the modules is only a logical function division. In actual implementation, there may be other division methods. For example, multiple modules or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or modules may be in electrical, mechanical or other forms.

所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, they may be located in one place, or may be distributed to multiple network modules. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本发明各个实施例中的各功能模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。In addition, each functional module in each embodiment of the present invention may be integrated into one processing module, each module may exist separately physically, or two or more modules may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules.

所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。If the integrated modules are realized in the form of software function modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on such an understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present invention.

需要说明的是,对于前述的各方法实施例,为了简便描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明并不受所描述的动作顺序的限制,因为依据本发明,某些步骤可以采用其它顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定都是本发明所必须的。It should be noted that, for the sake of simplicity of description, the aforementioned method embodiments are expressed as a series of action combinations, but those skilled in the art should know that the present invention is not limited by the described action sequence. Because of the present invention, certain steps may be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification belong to preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.

在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其它实施例的相关描述。In the above-mentioned embodiments, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.

以上为对本发明所提供的一种条件可追踪环签名方法、系统、电子装置和存储介质的描述,对于本领域的技术人员,依据本发明实施例的思想,在具体实施方式及应用范围上均会有改变之处,综上,本说明书内容不应理解为对本发明的限制。The above is a description of a conditionally traceable ring signature method, system, electronic device, and storage medium provided by the present invention. For those skilled in the art, based on the idea of the embodiment of the present invention, both the specific implementation and the scope of application There will be changes. In summary, the contents of this specification should not be construed as limiting the present invention.

Claims (9)

1. A condition-traceable ring signature method, comprising:
setting system parameters;
generating keys for users and anonymous revocation institutions according to a preset digital signature algorithm and the system parameters;
generating a ring signature according to the secret key;
verifying the ring signature, outputting a first preset result if the verification is passed, and outputting a second preset result if the verification is not passed;
performing ring signature link on the ring signature which passes verification, and judging whether the ring signature is added into a signature list or not through the ring signature link;
if the ring signature appears in the signature list, the anonymous revocation authority wants to recover a signature public key through a private key, and the private key of the anonymous revocation authority is substituted into a pre-mixed public key set to track the public key of an actual signer;
the link of the ring signature for the ring signature passing verification comprises the following steps: obtaining a key mirror image I in a verified ring signature sigma, judging whether the key mirror image I appears in a mirror image list omega, outputting 1 if the key mirror image I appears and the message M in the ring signature sigma is not equal to the message M ' with the signature sigma ' in the mirror image list omega, deleting sigma in a signature list theta, and rejecting the ring signature sigma if M is equal to M '; if not, outputting 0, accepting the ring signature sigma, and adding the ring signature sigma to the signature list theta.
2. The condition-traceable ring signature method according to claim 1, wherein,
the setting system parameters comprises: inputting a security parameter l q Selecting two cyclic groups G with the same prime order q 1 And G T G is G 1 E represents the bilinear map G 1 ×G 1 →G T ,H s Representing {0,1} * →Z q Wherein Z is q Is a finite field, H p Represents G 1 →G 1 Deterministic hash function, outputting common parameter param= (l) q ,q,g,G 1 ,G T ,H s ,H p )。
3. The condition-traceable ring signature method of claim 2, wherein,
the private key of the user is composed of a random number d i ∈Z q Is composed of public key P i =d i g;
The private key of the anonymous revocation mechanism is d' u ∈Z q The public key is P' u =d′ u g。
4. The condition-traceable ring signature method of claim 3, wherein,
the method for generating the ring signature according to the key comprises the following steps:
randomly selecting the public keys of n-1 users, and mixing the public keys with the signature public keys of n-1 users to obtain a set S= { P 1 ,P 2 ,...,P n Setting the public signature key to P π The private key is d π The number of anonymous revocation mechanisms selected by the signer is l, the public key set is represented by T, and T= { P' 1 ,P′ 2 ,...,P′ l };
Calculate d π Key mirror I, i=d of (a) π H p (P π );
In the finite field Z q Is { q } i I=1,.. i I=1,.. i =q i g+w i P i (i+.pi) and R i =q i H p (P i )+w i I (i.noteq.pi.), and in the finite field Z q In selecting a random number q π Calculate L π =q π g and R π =q π H p (P π );
In the finite field Z q In selecting a random number r revoke Calculating R revoke =r revoke g;
Select u=1.., l, calculate
Figure FDA0004130281130000025
Calculate c=h s (M,L 1 ,...,L n ,R 1 ,...,R n ),c i =w i (i≠π),
Figure FDA0004130281130000024
r i =q i (i≠π),r i =q π -c π d π mod q(i=π);
In the finite field Z q In selecting a random number p 1 ,p 2 ,s i ,c′ i Calculation of =
Figure FDA0004130281130000021
s=p 1 -c′d π
Figure FDA0004130281130000022
s π =p 2 -c′ π d π mod q;
Generating a ring signature sigma;
wherein σ= (I, c 1 ,...,c n ,r 1 ,...,r n ,c′ 1 ,...,c′ n ,s,s 1 ,...s n ,R revoke ,E 1 ,...,E l )。
5. The condition-traceable ring signature method of claim 4, wherein,
the verifying the ring signature includes:
for i=1..n, calculate L' i =r i g+c i P i ,R′ i =r i H p (P i )+c i I;
Calculating w 1 =H s (M|L′ 0 ,...,L′ n ||R′ 0 ,...,R′ n )mod q,
Figure FDA0004130281130000023
If it is
Figure FDA0004130281130000031
And->
Figure FDA0004130281130000032
If so, outputting a first preset result 1, and passing the verification; otherwise, outputting a second preset result 0, and failing verification.
6. The condition-traceable ring signature method of claim 5, wherein,
substituting the private key of the anonymous revocation authority into a pre-mixed public key set, and tracking the public key of an actual signer comprises:
private key d 'of the anonymous revocation authority' u The public keys in set S are substituted in sequence, and for i=1..n, calculation is performed
Figure FDA0004130281130000033
Whether or not to hold, find out the public key P for holding the equation π Public key P π Is the public key of the actual signer.
7. A condition-traceable ring signature system, comprising:
the parameter setting module is used for setting system parameters;
the key generation module is used for generating keys for users and anonymous revocation institutions according to a preset digital signature algorithm and the system parameters;
the ring signature generation module is used for generating a ring signature according to the secret key;
the ring signature verification module is used for verifying the ring signature, outputting a first preset result if the ring signature passes verification, and outputting a second preset result if the ring signature does not pass verification;
the ring signature link module is used for carrying out ring signature link on the ring signature which passes verification, and judging whether the ring signature is added into a signature list or not through the ring signature link;
the tracking module is used for substituting the private key of the anonymous revocation authority into a pre-mixed public key set to track the public key of an actual signer if the anonymous revocation authority wants to recover the public signature key through the private key when the ring signature link module judges that the ring signature appears in the signature list;
the ring signature linking module includes: a judging unit and an executing unit; the judging unit is used for acquiring the key image I in the ring signature sigma passing verification and judging whether the key image I appears in the image list omega; the execution unit is used for outputting 1 if the judgment unit judges that the message M in the ring signature sigma is not equal to the message M ' with the signature sigma ' in the mirror list omega, deleting the sigma in the signature list theta, and rejecting the ring signature sigma if M is equal to M '; if not, outputting 0, accepting the ring signature sigma, and adding the ring signature sigma to the signature list theta.
8. An electronic device, comprising: a memory, a processor, on which a computer program is stored which is executable on the processor, characterized in that the processor, when executing the computer program, implements the method according to any one of claims 1 to 6.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any of claims 1 to 6.
CN202310257980.2A 2023-03-07 2023-03-07 A condition traceable ring signature method, system, electronic device and storage medium Pending CN116318726A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310257980.2A CN116318726A (en) 2023-03-07 2023-03-07 A condition traceable ring signature method, system, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310257980.2A CN116318726A (en) 2023-03-07 2023-03-07 A condition traceable ring signature method, system, electronic device and storage medium

Publications (1)

Publication Number Publication Date
CN116318726A true CN116318726A (en) 2023-06-23

Family

ID=86797408

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310257980.2A Pending CN116318726A (en) 2023-03-07 2023-03-07 A condition traceable ring signature method, system, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN116318726A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116566626A (en) * 2023-07-11 2023-08-08 北京信安世纪科技股份有限公司 Ring signature method and apparatus

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040260926A1 (en) * 2003-05-20 2004-12-23 France Telecom Electronic group signature method with revocable anonymity, equipment and programs for implementing the method
CN107659411A (en) * 2017-10-11 2018-02-02 深圳大学 Encrypt the method and system of the traceable user's signature of currency conditional
CN107769920A (en) * 2017-10-11 2018-03-06 深圳大学 Encrypt the method and system of the traceable client public key of currency conditional
US20190043043A1 (en) * 2017-08-01 2019-02-07 Digital Asset (Switzerland) GmbH Method and apparatus for automated committed settlement of digital assets
CN110071812A (en) * 2019-04-29 2019-07-30 电子科技大学 A kind of editable can link, the ring signatures method of non-repudiation
WO2019235095A1 (en) * 2018-06-06 2019-12-12 日本電信電話株式会社 Anonymous signature system, signature generation device, anonymous signature generation device, verification device, anonymous signature method and program
CN112734424A (en) * 2021-01-05 2021-04-30 重庆邮电大学 Privacy protection payment method and system based on block chain

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040260926A1 (en) * 2003-05-20 2004-12-23 France Telecom Electronic group signature method with revocable anonymity, equipment and programs for implementing the method
US20190043043A1 (en) * 2017-08-01 2019-02-07 Digital Asset (Switzerland) GmbH Method and apparatus for automated committed settlement of digital assets
CN111183445A (en) * 2017-08-01 2020-05-19 数字资产(瑞士)股份有限公司 Method and apparatus for automatic commitment settlement of digital assets
CN107659411A (en) * 2017-10-11 2018-02-02 深圳大学 Encrypt the method and system of the traceable user's signature of currency conditional
CN107769920A (en) * 2017-10-11 2018-03-06 深圳大学 Encrypt the method and system of the traceable client public key of currency conditional
WO2019235095A1 (en) * 2018-06-06 2019-12-12 日本電信電話株式会社 Anonymous signature system, signature generation device, anonymous signature generation device, verification device, anonymous signature method and program
CN110071812A (en) * 2019-04-29 2019-07-30 电子科技大学 A kind of editable can link, the ring signatures method of non-repudiation
CN112734424A (en) * 2021-01-05 2021-04-30 重庆邮电大学 Privacy protection payment method and system based on block chain

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王晓兰;: "基于MPKCs可撤销匿名性的环签名方案", 河南科学, no. 01 *
黄大威;杨晓元;陈海滨;: "一种可撤销匿名性的环签名方案", 计算机工程与应用, no. 24, 21 August 2010 (2010-08-21) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116566626A (en) * 2023-07-11 2023-08-08 北京信安世纪科技股份有限公司 Ring signature method and apparatus
CN116566626B (en) * 2023-07-11 2023-09-05 北京信安世纪科技股份有限公司 Ring signature method and apparatus

Similar Documents

Publication Publication Date Title
US20230308287A1 (en) Threshold signatures
Fu et al. NPP: A new privacy-aware public auditing scheme for cloud data sharing with group users
CN110011781B (en) Homomorphic encryption method and medium for transaction amount encryption and supporting zero knowledge proof
CN108292402A (en) Deterministic and hierarchical deterministic keys of public secrets for secure exchange of information
US12413428B2 (en) Computer implemented method and system for storing certified data on a blockchain
CN105376064B (en) A kind of anonymity message authentication system and its message signing method
CN111064734A (en) An anonymous and traceable method for user identity in a blockchain system, and a corresponding storage medium and electronic device
CN112734424A (en) Privacy protection payment method and system based on block chain
CN113159762A (en) Block chain transaction method based on Paillier and game theory
US20230308292A1 (en) Digital signatures
WO2019174402A1 (en) Group membership issuing method and device for digital group signature
CN115442057A (en) Randomizable blind signature method and system with strong unlinkability
CN115396115B (en) Block chain data privacy protection method, device, equipment and readable storage medium
CN115001711B (en) Information signing method, device, electronic equipment and computer readable storage medium
CN116318726A (en) A condition traceable ring signature method, system, electronic device and storage medium
JP2024546651A (en) Authenticity of child keys based on zero-knowledge proofs
CN110278073B (en) A group digital signature, verification method and its equipment and device
KR20240045231A (en) Creation of digitally signed shares
CN114257366A (en) Information homomorphic processing method, device, equipment and computer readable storage medium
CN111147240B (en) A privacy protection method and system with traceability
CN109600218B (en) Anonymous PKI system with traceable user identity
CN116975937B (en) Anonymous attestation method and anonymous verification method
Lo et al. Blockchain and Smart Contracts: Design Thinking and Programming for Fintech
CN118802116A (en) Privacy set intersection method, communication device, electronic device and storage medium
EP4385167A1 (en) Generating digital signatures

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination