# Attribute-based network ring signing method for distributed authorization

## A distributed, ring signature technology, applied in user identity/authority verification and key distribution, can solve problems such as increasing the communication cost between the attribute authority AA and the user, attribute key escrow, and anonymity degradation.

Active Publication Date: 2017-11-10

刁伟强

3 Cites 15 Cited by

## AI-Extracted Technical Summary

### Problems solved by technology

This method embeds user identity information directly into the attribute key, although it can ensure that the signature cannot be generated by collusion of multiple users, but the anonymity of the method is degraded due to the introduction of identity information.

In addition, since the use of a single attribute authority is responsible for the distribution and management of all attribute keys in the system, as long as the attribute authority is compromised by the attacker, the attacker can use the key of the attribute authority to generate the attribute key of any user in the system. Therefore, this approach also suffers from property key escrow issues

[0004] Li et al. "Li J, Chen XF, Huang XY. New attribute-based authentication and its application in anonymous cloud access service [J]. Journal on International Jour...

## Abstract

The invention discloses an attribute-based network ring signing method for distributed authorization and belongs to the field of information security. The method comprises the steps of in an initialization phase, removing a credible system centre through utilization of a distributed key negotiation protocol, dispersing key management authority of an attribute authorization mechanism, and solving an attribute key trusteeship problem; in a key distribution phase, embedding a user identity into the attribute key and determining that through utilization of the method, a collusion attack can be resisted; and in a signature generation phase, introducing a user identity fuzzy factor, thereby enabling the method to have unconditional high anonymity. The method is high in anonymity and high in security; and anonymous identity authentication and access control function can be effectively carried out on cloud computing and electronic medical networks.

Application Domain

Key distribution for secure communicationUser identity/authority verification

Technology Topic

Cloud computingAuthorization +6

## Image

## Examples

- Experimental program(1)

### Example Embodiment

[0071] Example

[0072] A specific embodiment of the present invention is a distributed authorization attribute-based network ring signature method, the steps of which are:

[0073] A. Parameter generation

[0074] A1. Establishment of attribute set

[0075] The system establishes attribute collection space W, W={W 1 ,...,W k ,...,W K},in is the kth attribute subset of the attribute set space W, and K is the total number of attribute subsets in the attribute set space W; w i,k is the kth attribute subset W k The i-th attribute in |W k | is the kth attribute subset W k The total number of attributes in;

[0076] A2. Generation of system public key and private key

[0077] System setting P≥K distributed attribute authority AA p , where p is the attribute authority AA p serial number, p={1,2,...,P}; construct q factorial method cyclic group G and q factorial method cyclic group Y, q is greater than 2 512 and there is a bilinear mapping relationship y=e(g a , g b ); among them, e(g a , g b ) represents the element g in the cyclic group G of the q factorial method a and element g b Perform bilinear mapping operations;

[0078] All Property Authorities AA 1 ,...,AA p ,...,AA P , execute the distributed key generation protocol with (K,P) threshold; select any K attribute authority AA p Cooperate to generate system master key a 0 and system secondary key b 0;Choose an attribute authority AA p Generate: the system's first public key g 1 , System second public key g 2 , Where g is the generator of the cyclic group G of the q factorial method; the attribute authorization agency AA p Then the system's first public key g 1 , the second system public key g 2 Perform bilinear mapping operation to obtain the third public key y of the system, y=e(g 1 , g 2 );

[0079] A3. Generation of private key and public key of attribute authority

[0080] will property authority AA p The polynomial of degree K-1 used in the distributed key generation protocol implementing the (K,P) threshold is named f p (x); where f p The coefficients for each item in (x) are determined by the attribute authority AA p In a finite field consisting of integers between 1 and (q-1) randomly selected on

[0081] will property authority AA p The serial number p is used as the value of the independent variable x, and is substituted into all attribute authorization agencies AA 1 ,...,AA p ,...,AA P The degree K-1 polynomial f used 1 (x),...,f p (x),...,f P (x), obtain the values of these polynomials, the sum of the values of all polynomials is the attribute authority AA p The master key is a p,0;

[0082] Attribute Authority AA p in finite fields randomly select a number as the secondary key c p , and pass the second key c p Calculate your own public key P p ,

[0083] A4. Public and private key generation of attributes

[0084] The system establishes the attribute subset W in the attribute set W k The serial number k to the attribute authority AA p The one-to-many mapping D of the sequence number p, the attribute subset W in the attribute set W k The corresponding attribute subset obtained after mapping is named W p , and subset the attributes W p The key distribution and management rights are assigned to the attribute authority AA p;

[0085] Attribute Authority AA p in finite fields Randomly select a series of numbers as its management attribute subset W p The private key of the attribute in the attribute, and calculate the public key of the corresponding attribute according to the attribute private key; where the attribute subset W p The i-th attribute w ini,p The corresponding private key is denoted as t i,p , and its corresponding public key is denoted as T i,p ,

[0086] A5. Selection of hash function

[0087] The system selects three hash functions: H 1 : h 2 :w i,p →G,H 3 :m→G, and the selected three hash functions H 1 、H 2 、H 3 announced; among them To map a string of arbitrary length {0,1} to a finite field Hash operation on elements, w i,p →G is the authority to assign the pth attribute to AA p Managed attribute subset W p The attribute w in i,p Mapping is the hash operation of the elements on the multiplicative cyclic group G, m→G is the hash operation of mapping the file m to be signed to the elements on the multiplicative cyclic group G;

[0088] B. User key distribution

[0089] B1. Description of user attribute collection

[0090] User ID has user attribute set W ID , W ID ={W ID,1 ,...,W ID,k ,...,W ID,K}; user attribute set W ID is a subset of the attribute set space W, W is the set of user attributes ID The kth subset of is also the kth attribute subset of the attribute set space W a subset of w ID,i,k W is the set of user attributes ID The kth subset W of ID,k The i-th attribute in , according to the user attribute set W ID The kth subset W of ID,k and the kth attribute subset W of the set space W k The corresponding relationship between the attributes in and their private key and public key, find out the user attribute set W ID The kth subset W of ID,k The i-th attribute w in ID,i,k The corresponding private key and public key, and relabel the corresponding private key as t ID,i,k , the public key is relabeled T ID,i,k;

[0091] B2. Selection of random polynomials

[0092] User ID according to its own attribute set W ID Each attribute subset W in ID,k The serial number k and one-to-many mapping D, to the corresponding K attribute authority AA p Issue a key distribution application; the system then uses the inverse mapping D of the one-to-many mapping D -1 K attribute authorities AA that will accept key distribution applications p Reorder, Get Reorder Attributes Authority AA 1 ,...,AA k ,...,AA K , that is, the kth reordering attribute authority AA k Have the kth attribute subset W of the attribute set W k key distribution and management authority;

[0093] The K reordered attribute authorities AA 1 ,...,AA k ,...,AA K Separately choose the polynomial f 1 '(x),...,f k '(x),...,f' K (x); where f k '(x) is the kth reordering attribute authorization machine AA k selected d k - polynomial of degree 1, d k Reorder attribute authority AA for the kth k Preset signature threshold, polynomial f k The constant item value of '(x) is equal to the kth reordering attribute authority AA k master key a k,0 , polynomial f k The coefficients of the remaining terms of '(x) are the kth reordering attribute authority AA k in finite fields A randomly selected number on

[0094] B3. Calculation of user identity

[0095] kth reordering attribute authority AA k Take the user's identity ID as an argument, and use the second key c k As the seed key of the pseudo-random function PRF, generate the kth part λ of the user identity ID,k ,Right now

[0096] The various parts of the user identity λ ID,1 ,...,λ ID,k ,...,λ ID,K Link, you can get the user identity λ ID ,λ ID =λ ID,1 ||...||λ ID,k ||...||λ ID,K;

[0097] B4. Generation of user master key

[0098] kth reordering attribute authority AA k Generate the kth part S of the user master key for the user ID 1,k ,

[0099] B5. Generation of user attribute key

[0100] kth reordering attribute authority AA k Generate user attribute set W for user ID ID The kth subset W of ID,k The i-th attribute w in ID,i,k The corresponding key S 2,i,k , as user attribute key S 2,k the i-th subsection S of the k-th section 2,i,k;

[0101] User attribute key S 2,k various subsections of section k Link to get the kth part S of the user attribute key 2,k ,

[0102] B6. Distribution of user attribute keys

[0103] K Reordering Attribute Authorities AA 1 ,...,AA k ,...,AA K The k-th part S of the user's master key is respectively 1,k and the kth part S of the user attribute key 2,k Sent to the user ID via a secure channel;

[0104] The user ID will be the various parts of the user master key S 1,1 ,...,S 1,k ,...,S 1,K Link to get the master key S of the user ID ID,1 , S ID,1 = S 1,1 ||…||S 1,k ||…||S 1,K; At the same time, each part of the user attribute key S 2,1 ,...,S 2,k ,...,S 2,K Link to get the user attribute key S of the user ID ID,2 , S ID,2 = S 2,1 ||…||S 2,k ||…||S 2,K;

[0105] C. Signature generation

[0106] When the user ID accesses the network service, the network server gives the file m to be signed, and from the kth attribute subset W of the attribute set space W k select a subset of As a set of declaration signature properties W * The k-th subset of declaration signature attributes; the union of all declaration signature attribute subsets is the declaration signature attribute set W * ,Right now

[0107] The signer is the user ID from the statement signature attribute set W * The kth declaration signature attribute subset of and its user attribute set W ID The kth subset W of ID,k In the intersection of , arbitrarily choose d k attributes to form the signature attribute set W′ ID The kth signature attribute subset W′ of ID,k , Among them, w ID',i,k is the set of signature attributes W′ ID The kth signature attribute subset W′ of ID,k The i-th attribute in , all signature attribute subset W′ ID,k The union of is the signature attribute set W′ ID , namely W′ ID ={W' ID,1 ,...,W′ ID,k ,...,W′ ID,K};

[0108] C1. Selection of signature attribute key

[0109] The signer then according to the signature attribute set W′ ID The kth signature attribute subset W′ of ID,k The i-th attribute w in ID',i,k and user attribute set W ID The kth attribute subset W of ID,k The attributes in and the correspondence between the corresponding private key, public key and user signature attribute key, the w ID',i,k The corresponding private key is relabeled as t ID',i,k , the corresponding public key is relabeled as T ID',i,k , and the corresponding key is relabeled S′ 2,i,k , and as the i-th sub-part S′ of the k-th part of the user signature attribute key 2,i,k;

[0110] The signer will sign each subpart S' of the kth part of the attribute key 2,i,k Link to generate the kth part S' of the user's signature attribute key 2,k , Then each part S' of the user's signature attribute key 2,k Link to generate user signature attribute key S' ID,2 , S′ ID,2 =S' 2,1 ||…||S′ 2,k ||…||S′ 2,K;

[0111] C2. Generation of the first sub-signature

[0112] The signer first calculates the first sub-signature σ of the file m to be signed 1 The first part σ of 1,1 , Among them, z is in the finite field Randomly selected user identity fuzzy factor; v is in the finite field The message random factor randomly selected above;

[0113] Then, calculate the kth subpart σ in the second part of the first subsignature of the file m to be signed 1,2,k , Among them, r' i,k is a finite field The attribute w in the randomly selected signature attribute set ID',i,k random factor; means w ID',i,k and W' ID,k about d k - Lagrangian coefficient of degree 1 polynomial f'(x) at x=0, its calculation method is where w ID',j,k for W' ID,k The jth element in , and j≠i, Π is the multiplication operation symbol, ∈ is the belonging symbol of the set, indicating the range of multiplication; Δ k,{1,…,K} (0) means the Lagrangian coefficient of k and {1,...,K} about K-1 degree polynomial f(x) at x=0, and its calculation method is where k' is W' ID,k Elements in , and k'≠k;

[0114] Second, calculate the kth subpart σ in the third part of the first subsignature of the file m to be signed 1,3,k , in, is the kth subset of the declared attribute set and the kth subset W′ of the signature attribute set ID,k difference of The i-th attribute in ; is a finite field The difference set attribute between the statement attribute set and the signature attribute set randomly selected from above random factor;

[0115] Finally, the first sub-signature σ of the file m to be signed 1 The first part σ of 1,1 , each subpart σ in the second part of all the first subsignatures 1,2,k , each subpart σ in the third part of all the first subsignatures 1,3,k Multiply to get the first sub-signature signature σ of the file m to be signed 1 :

[0116] C3. Generation of the second sub-signature

[0117] The signer calculates the second sub-signature σ of the file m to be signed 2 :

[0118] C4. Generation of the third sub-signature

[0119] The signer calculates the third sub-signature σ of the file m to be signed 3 : σ 3 =g v;

[0120] C5. Generation of the fourth sub-signature

[0121] The signer calculates the i-th sub-part σ in the k-th intersection of the fourth sub-signature of the file m to be signed 4,i',k : and the i-th sub-part in the k-th difference of the fourth sub-signature of the file m to be signed

[0122] The signer puts each sub-part in the k-th intersection part of the fourth sub-signature of the file m to be signed and each sub-part in the k-th difference part of the fourth sub-signature of the file m to be signed Link to get the kth part σ of the fourth sub-signature of the file m to be signed 4,k :

[0123]

[0124] Each part σ in the fourth sub-signature of the file m to be signed 4,1 ,…,σ 4,k ,…,σ 4,K Link to get the fourth sub-signature σ of the file m to be signed 4 : σ 4 = σ 4,1 ||...||σ 4,k ||...||σ 4,K;

[0125] C6, signature transmission

[0126] The file m to be signed, the first sub-signature σ 1 , the second sub-signature σ 2 , the third sub-signature σ 3 and the fourth subsignature σ 4 , sent to the web server;

[0127] D. Signature Verification

[0128] The network server receives the file m to be signed, the first sub-signature σ 1 , the second sub-signature σ 2 , the third sub-signature σ 3 and the fourth subsignature σ 4 After that, verify as follows:

[0129] the equation If it is established, it is determined that the signature is legal and the user ID is allowed to access the corresponding network resources;

[0130] Otherwise, it is determined that the signature is invalid, and the network server rejects the user ID's access to the corresponding network resource.

## PUM

## Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.