A homology-based traceable ring signature method and system

By designing a CSIDH based on homologous cryptography and combining the OR protocol and FS transformation algorithm, a traceable ring signature in a quantum computing environment is realized. This solves the problems of large signature size and lack of traceability in existing technologies, and provides a solution with high security and small signature size, which is suitable for blockchain anonymous voting and electronic cash systems.

CN116471025BActive Publication Date: 2026-06-26WUHAN UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
WUHAN UNIV
Filing Date
2023-04-23
Publication Date
2026-06-26

Smart Images

  • Figure CN116471025B_ABST
    Figure CN116471025B_ABST
Patent Text Reader

Abstract

The application discloses a homologous-based traceable ring signature method and system, wherein the method comprises a key generation step, a signature generation step, a signature verification step and a signature tracing step, and the OR protocol and the FS conversion are introduced to construct a signature algorithm, while the correctness and linkability of the traceable ring signature are ensured, the function characteristic of traceability is met, and the system can be effectively instantiated by using different security level parameters of CSIDH. The application has the advantages of high security and small signature size, provides the tracing function on the basis of the linkable ring signature, can be widely applied to multiple application fields such as block chain anonymous voting and electronic cash systems, and can resist quantum attacks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of information security technology, and in particular to a traceable ring signature method and system based on the same source. Background Technology

[0002] Digital signature technology, as an important tool for ensuring information integrity and authenticating identities, has become a key technology in the field of information security. Depending on the application scenario and needs, various forms of digital signatures have emerged: ring signatures, blind signatures, proxy signatures, and aggregate signatures, among others. Ring signatures can be considered a special type of group signature; they have no trusted center, no group establishment process, and the signer is completely anonymous to the verifier. Linkable ring signatures introduce the concept of a tag to characterize the specific event using the ring signature; two ring signatures with the same tag generated by the same private key can be publicly linked.

[0003] The emergence of quantum computers has dealt a systemic blow to classical cryptography. Unlike fundamental primitives such as digital signatures and public-key encryption, research on post-quantum secure ring signatures started relatively late and is still in a phase of rapid development. Homologous cryptography is an important component of post-quantum cryptography. The main mathematical problems considered in this system include: homologous computation, computation of self-homogeneous rings, and the structure of homologous graphs. These problems guarantee the security of SIDH-Supersingular isogeny Diffie-Hellman and CSIDH-Commutative Supersingular isogeny Diffie-Hellman key exchanges.

[0004] Currently, post-quantum ring signature schemes are in the development stage, and most of them are based on lattice-based post-quantum cryptographic primitives. The signature size is relatively large, and existing ring signature methods cannot meet the traceability function. Summary of the Invention

[0005] This invention provides a method and system for generating traceable ring signatures based on the same source. It introduces the OR protocol and FS transformation to construct a signature algorithm. While ensuring the correctness and linkability of the traceable ring signature, it also satisfies the functional characteristic of traceability. The system can be effectively instantiated using different security level parameters of CSIDH.

[0006] The first aspect of this invention provides a traceable ring signature method based on homology, comprising:

[0007] Key generation steps: Based on the input system parameter pp, output the public and private key pair for each user;

[0008] Signature generation steps: For user π, generate the signature value σ of user π based on user π's private key, the system user public key set R, the message to be signed M and the tag L;

[0009] Signature verification steps: The signer verifies the correctness of σ′ based on the system user public key set R, the message M′ to be verified, the tag L, and the signature value σ′ to be verified.

[0010] Signature tracing steps: Determine the correlation between the two signature pairs based on label L and the two message signature pairs (M1,σ1) and (M2,σ2) under label L.

[0011] In one implementation, the system parameters include S1 and X0, and the key generation step specifically includes:

[0012] a) Generate a private key for each user i based on S1: sk i ←S1;

[0013] b) Generate the public key for each user i: pk i =X i ←sk i *X0;

[0014] Where S1 is a symmetric subgroup of the additive group G, X0, X i For elements in the finite set χ, ← indicates an assignment operation, sk i pk is the private key of user i. i This is the public key for user i.

[0015] In one implementation, the signature generation step specifically includes:

[0016] a) Parse the public keys of N users;

[0017] b) Hash label L and map it to... For each element T0 in the set, we hash the (L,M) pair: H′(L,M), map it to element a in the set S1, and calculate b←sk. π -H′(,π), calculate T π ←sk π ·T0;

[0018] c) For all i∈N, i≠π, calculate T i ←[b+H′(a,i)]·T0;

[0019] d) Let R = {X1, ..., X} N}, T={T1,…T N The proof subprocess for running the OR protocol: P1((R,T),(sk π,π)), generate the commitment value sequence com=(salt,(com i ) i∈[Z] );

[0020] e) Generate the challenge value sequence challenge = H FS (M,(R,T),com), the challenge value conforms to the distribution C. Z,K That is, the Chall sequence satisfies: the number of 0s is K, and the number of 1s is ZK;

[0021] f) Run the proof subprocess of the OR protocol: P2((sk π ,π),chall), generate the response value rsp;

[0022] g) Output the signature value σ = (salt, b, challenge, rsp);

[0023] Among them, T i T0 is a finite set The elements in the group, b is an element in the symmetric subgroup S1, sk π T is the private key for user π. π For user π in a finite set The corresponding element in H is hashed to a finite set. The function H′ is the hash function to the symmetric subgroup S1, N is the number of ring members, salt is the randomly generated salt value, challenge is the challenge value sequence, rsp is the response value, com is the generated commitment value sequence, P=(P1,P2) is the signer's operation flow, and P1,P2 are sub-flows of P.

[0024] In one implementation, the signature verification step specifically includes:

[0025] a) Parse N user public keys and parse the signature (salt′,b,chall′,rsp′)←σ′;

[0026] b) Calculate a′←H′(L,M′);

[0027] c) For all i∈N, compute T i = [b+H′(a′,i)]·T0;

[0028] d) Based on the signature value σ′, the system user public key R={X1,…X N} and the calculation yields T = {T1, ... T} N}, recover the commitment sequence com′←RecoverCom((R,T),salt′,chall′,rsp′);

[0029] e) Run the OR protocol verification sub-process: V2(com′,chall′,rsp′), when V2 output is accepted and H is calculated. FS If the result (M,(R,T),com′) matches the challenge sequence challenge′ in the signature σ′, then accept the signature; otherwise, reject the signature.

[0030] Among them, T i T0 is a finite set In the formula, b is an element in the symmetric subgroup S1, H′ is the hash function to the symmetric subgroup S1, N is the number of ring members, salt′ is the salt value generated during the verification process, challenge′ is the sequence of challenge values ​​during the verification process, rsp′ is the response value during the verification process, com′ is the sequence of commitment values ​​generated by the verification process, and V=(V1,V2) is the verifier's operation flow, where V1 and V2 are sub-flows of V.

[0031] In one implementation, the signature traceability step specifically includes:

[0032] a) Parse b1←σ1, b2←σ2 from the two signatures and initialize the TList list;

[0033] b) Calculate a1←H′(L,M1) and a2←H′(L,M2);

[0034] c) For all i∈N, compute T i = [H′(a1,i)+b1]·T0, T′ i = [H′(a2,i)+b2]·T0, run Link GA (T i ,T′ i Determine T i 、T′ i Are they equal? ​​If 1←Link GA (T i ,T′ i ), will correspond to pk i Store in a list TList;

[0035] d) If the table TList contains N entries, output "Linked", indicating that the two message signature pairs (M1,σ1) and (M2,σ2) are linked, meaning that the same user has signed the same message twice; if the table TList contains only one public key, output pk directly, indicating that the same user has signed different messages, and the user's identity has been disclosed; if the table TList is empty, output "Independent", indicating that the two message signature pairs (M1,σ1) and (M2,σ2) are independent and not related.

[0036] Where H′ is the hash function to the symmetric subgroup S1, b1 and b2 are the results obtained from parsing the signatures σ1 and σ2, respectively, a1 and a2 are the elements in the set S1, and T0 is a finite set. Elements in Link GA (T i ,T′ i ) is a function to determine whether two tags are consistent. If they are consistent, it returns 1; otherwise, it returns 0. TList is a table that records tags, and pk is the public key stored in the table TList.

[0037] Based on the same inventive concept, a second aspect of the present invention provides a traceable ring signature system based on common origin, comprising:

[0038] The key generation module is used to output the public-private key pair for each user based on the input system parameter pp;

[0039] The signature generation module is used to generate a signature value σ for user π based on user π's private key, the system user public key set R, the message to be signed M, and the tag L.

[0040] The signature verification module is used by the signer to verify the correctness of σ′ based on the system user public key set R, the message M′ to be verified, the tag L, and the signature value σ′ to be verified.

[0041] The signature traceability module is used to determine the correlation between two signature pairs based on label L and the two message signature pairs (M1,σ1) and (M2,σ2) under label L.

[0042] Based on the same inventive concept, a third aspect of the present invention provides a computer-readable storage medium having a computer program stored thereon, which, when executed, implements the method described in the first aspect.

[0043] Based on the same inventive concept, a fourth aspect of the present invention provides a computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the method described in the first aspect.

[0044] Compared with the prior art, the advantages and beneficial technical effects of the present invention are as follows:

[0045] 1. Current post-quantum ring signature schemes are in the development stage, and most of them are based on lattice-based post-quantum cryptographic primitives, resulting in large signature sizes. No one has yet proposed a traceable ring signature based on homology. That is, the signature method provided by this invention can satisfy the functional characteristic of traceability while ensuring the correctness and linkability of traceable ring signatures.

[0046] 2. The traceable ring signature scheme provided by this invention provides traceability functionality on the basis of linkable ring signature, and can be widely used in multiple application fields such as blockchain anonymous voting and electronic cash systems. Attached Figure Description

[0047] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0048] Figure 1 This is a flowchart of the signature generation and verification process in the method provided in the embodiments of the present invention;

[0049] Figure 2 This is a flowchart illustrating signature tracing in the method provided in this embodiment of the invention;

[0050] Figure 3 The basic OR protocol flow and prover (signer) operation flow provided for embodiments of the present invention;

[0051] Figure 4 The upper-layer OR protocol flow and verifier (signature verifyer) operation flow are provided for embodiments of the present invention. Detailed Implementation

[0052] A traceable ring signature is a variant of ring signatures that retains the flexibility of ring signatures while also possessing the characteristics of chainable ring signatures, and restricts the unconditional anonymity of ring signatures. In a traceable ring signature, two signatures generated by the same private key can not only be chained but also directly expose the signer's identity. A traceable ring signature has a label L. Ring members can use their own private keys to sign messages, and verifiers can verify the message signature against label L, but cannot know which specific member of the ring generated the signature. If a signer uses the same label to sign the same message more than once, the two signatures will be chained together; if a signer generates signatures for two different messages under the same label, the signer's anonymity is no longer guaranteed. A secure traceable ring signature satisfies traceability, chainability, anonymity, and non-defamation.

[0053] The emergence of quantum computers has dealt a systemic blow to classical cryptography. Unlike fundamental primitives such as digital signatures and public-key encryption, research on post-quantum secure ring signatures started relatively late and is still in a phase of rapid development. Homologous cryptography is an important component of post-quantum cryptography. The main mathematical problems considered in this system include: homologous computation, computation of self-homogeneous rings, and the structure of homologous graphs. These problems guarantee the security of SIDH-Supersingular isogeny Diffie-Hellman and CSIDH-Commutative Supersingular isogeny Diffie-Hellman key exchanges.

[0054] Based on CSIDH in homologous cryptography, this invention designs a traceable ring signature generation method and system. It introduces the OR protocol and FS transformation to construct the signature algorithm. While ensuring the correctness and linkability of the traceable ring signature, it also satisfies the traceability feature. The system can be effectively instantiated using different security level parameters of CSIDH.

[0055] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0056] Example 1

[0057] This invention provides a traceable ring signature method based on homology, comprising:

[0058] Key generation steps: Based on the input system parameter pp, output the public and private key pair for each user;

[0059] Signature generation steps: For user π, generate the signature value σ of user π based on user π's private key, the system user public key set R, the message to be signed M and the tag L;

[0060] Signature verification steps: The signer verifies the correctness of σ′ based on the system user public key set R, the message M′ to be verified, the tag L, and the signature value σ′ to be verified.

[0061] Signature tracing steps: Determine the correlation between the two signature pairs based on label L and the two message signature pairs (M1,σ1) and (M2,σ2) under label L.

[0062] The specific symbols used and involved in this application are described as follows:

[0063] G: Additive group.

[0064] S1, S2: Two symmetric subgroups of the additive group G.

[0065] a, b: Elements in the symmetric subgroup S1.

[0066] (pk i ,sk i ): User i's public and private key pair.

[0067] τ, χ: two finite sets.

[0068] X i X0: Finite set The elements in.

[0069] T i T0: Finite set The elements in.

[0070] ★∶G×χ→χ.

[0071] ·∶G×T→T.

[0072] H FS Hash function, with a range of C Z,K .

[0073] C z,K : A binary string of length Z, containing K 0s and ZK 1s.

[0074] H: Hash to Finite Set function.

[0075] H′: Hash to symmetric subgroup S1 function.

[0076] H″: A standard hash function.

[0077] ||: Bit string concatenation.

[0078] σ: Signature value.

[0079] λ: Scheme safety parameter.

[0080] PRG: Pseudo-random generator.

[0081] L: Tag, such as the event corresponding to the signature.

[0082] N: Number of ring members.

[0083] salt: A randomly generated salt value.

[0084] com: The generated commitment value.

[0085] P = (P1, P2): The proof (signer) operation flow, where P1 and P2 are sub-flows of P.

[0086] V = (V1, V2): Verifier (signature checker) operation flow, where V1 and V2 are sub-flows of V.

[0087] Link Ga (T1,T2): Determine if two labels are the same. If T1 = T2, return 1; otherwise, return 0.

[0088] TList: A table that records tags.

[0089] The purpose of this invention is to propose a traceable ring signature generation method and system based on same-origin cryptography. In a self-organizing system, when a signer generates a signature for a message under label L, all users in the system can verify the legitimacy of the signature. When the same message is signed twice, the two generated signatures are linked. When signing different messages, the signer's identity is disclosed.

[0090] To achieve the objectives of this invention, a traceable ring signature generation method and system based on CSIDH is proposed. In this scheme, the system generates a public-private key pair for each user, denoted as s∈S1 for the private key sk and X=s★X0 for the public key pk. Each user can act as a signer, using their private key and the set of public keys from all users to sign messages M under different tags L. Any user of the system can run a signature verification algorithm to verify the validity of the signature and a traceability algorithm to determine the correlation between two signatures. The signature and verification algorithms are constructed based on the OR protocol. The basic OR protocol is run multiple times, using the commitment value, challenge value, and response value of each round as the signature. The signature verification algorithm verifies the validity of the signature based on the challenge value by running the OR protocol.

[0091] In one implementation, the system parameters include S1 and X0, and the key generation step specifically includes:

[0092] a) Generate a private key for each user i based on S1: sk i ←S1

[0093] b) Generate the public key for each user i: pk i =X i ←sk i *X0;

[0094] Where S1 is a symmetric subgroup of the additive group G, X0, X i For elements in the finite set χ, ← indicates an assignment operation, sk i pk is the private key of user i. i This is the public key for user i.

[0095] In one implementation, the signature generation step specifically includes:

[0096] a) Parse the public keys of N users;

[0097] b) Hash label L and map it to... For each element T0 in the set, we hash the (L,M) pair: H′(L,M), map it to element a in the set S1, and calculate b←sk. π -H′(a,π), calculate T π ←sk π ·T0;

[0098] c) For all i∈N, i≠π, calculate T i ←[b+H′(a,i)]·T0;

[0099] d) Let R = {X1, ..., X} N}, T={T1,…T N The proof subprocess for running the OR protocol: P1((R,T),(sk π ,π)), generate the commitment value sequence com=(salt,(com i ) i∈[Z] );

[0100] e) Generate the challenge value sequence challenge = H Fs (M, (R, T), com), the challenge value conforms to the distribution C. Z,K That is, the Chall sequence satisfies: the number of 0s is K, and the number of 1s is ZK;

[0101] f) Run the proof subprocess of the OR protocol: P2((sk π ,π),chall), generate the response value rsp;

[0102] g) Output the signature value σ = (salt, b, challenge, rsp);

[0103] Among them, T i T0 is a finite set The elements in the group, b is an element in the symmetric subgroup S1, sk π T is the private key for user π. π For user π in a finite set The corresponding element in H is hashed to a finite set. The function H′ is the hash function to the symmetric subgroup S1, N is the number of ring members, salt is the randomly generated salt value, challenge is the challenge value sequence, rsp is the response value, com is the generated commitment value sequence, P=(P1,P2) is the signer's operation flow, and P1,P2 are sub-flows of P.

[0104] In one implementation, the signature verification step specifically includes:

[0105] a) Parse N user public keys and parse the signature (salt′,b,chall′,rsp′)←σ′;

[0106] b) Calculate a′←H′(L,M′);

[0107] c) For all i∈N, compute T i = [b+H′(a′,i)]·T0;

[0108] d) Based on the signature value σ′, the system user public key R={X1,…X N} and the calculation yields T = {T1, ... T} N}, recover the commitment sequence com′←RecoverCom((R,T),salt′,chall′,rsp′);

[0109] e) Run the OR protocol verification sub-process: V2(com′,chall′,rsp′), when V2 output is accepted and H is calculated. FS If the result (M,(R,T),com′) matches the challenge sequence challenge′ in the signature σ′, then accept the signature; otherwise, reject the signature.

[0110] Among them, T i T0 is a finite set In the formula, b is an element in the symmetric subgroup S1, H′ is the hash function to the symmetric subgroup S1, N is the number of ring members, salt′ is the salt value generated during the verification process, challenge′ is the sequence of challenge values ​​during the verification process, rsp′ is the response value during the verification process, com′ is the sequence of commitment values ​​generated by the verification process, and V=(V1,V2) is the verifier's operation flow, where V1 and V2 are sub-flows of V.

[0111] The signature generation and verification flowchart provided in this embodiment of the invention is as follows: Figure 1 As shown, please refer to Figure 2 This is a flowchart of the signature tracing method provided in the embodiments of the present invention.

[0112] In one implementation, the signature traceability step specifically includes:

[0113] a) Parse b1←σ1, b2←σ2 from the two signatures and initialize the TList list;

[0114] b) Calculate a1←H′(L,M1) and a2←H′(L,M2);

[0115] c) For all i∈N, compute T i = [H′(a1,i)+b1]·T0, T′ i = [H′(a2,i)+b2]·T0, run Link GA (T i ,T′ i Determine T i 、T′ i Are they equal? ​​If 1←Link GA (T i ,T′ i ), will correspond to pk i Store in a list TList;

[0116] d) If the table TList contains N entries, output "Linked", indicating that the two message signature pairs (M1,σ1) and (M2,σ2) are linked, meaning that the same user has signed the same message twice; if the table TList contains only one public key, output pk directly, indicating that the same user has signed different messages, and the user's identity has been disclosed; if the table TList is empty, output "Independent", indicating that the two message signature pairs (M1,σ1) and (M2,σ2) are independent and not related.

[0117] Where H′ is the hash function to the symmetric subgroup S1, b1 and b2 are the results obtained from parsing the signatures σ1 and σ2, respectively, a1 and a2 are the elements in the set S1, and T0 is a finite set. Elements in Link GA (T i ,T′ i ) is a function to determine whether two tags are consistent. If they are consistent, it returns 1; otherwise, it returns 0. TList is a table that records tags, and pk is the public key stored in the table TList.

[0118] Correctness of the traceability (assuming user π generates the signature):

[0119] A)(M,σ) and (M′,σ′) represent two signatures by the same user for the same message.

[0120] According to the signature algorithm: b←sk π -H′(a,π), a←H′(L,M), since M=M′, a=a′, b=b′, for all i∈N,T i =T i At this point, table TList contains N public keys, and the signature k is linked.

[0121] B)(M,σ) and (M′,σ′) represent two signatures by the same user for different messages.

[0122] According to the signature algorithm: b←sk π -H′(a,π),b′←sk π -H′(a′,π), a←H′(L,M), a′←H′(L,M′) Since M≠M′, a≠a′, b≠b′, for all i∈N:

[0123] When i=π,T π =[H′(a,i)+b]·T0=[H′(a,π)+sk π -H′(a,π)]·T0=sk π ·T0,T π ′=[H′(a′,i)+b′]·T0=[H′(a′,π)+sk π -H′(a′,π)]·T0=s π ·T0, at this time T π =T π ′, will pk π Store in table TList;

[0124] When i ≠ π, T i =[H′(a,i)+b]·T0=[H′(a,i)+sk π -H′(a,π)]·T0,T i ′=[H′(a′,i)+b′]·T0=[H′(a′,i)+s π -H′(a′,π)]·T0, since a≠a′,H′(a,i)≠H′(a,i), therefore T i ≠T i No operations are performed on the TList.

[0125] At this time, table TList contains one public key pk. π The identity of user π was disclosed.

[0126] The upper-level OR protocol used in the signature generation method is built upon the basic OR protocol. The basic OR protocol process is as follows: Figure 3 As shown: Proof of knowledge (sk) π ,π) satisfies sk π *X0=X π ∧sk π ·T0=T π Where T0 and X0 are public parameters, X i ←sk i *X0, sk i R is randomly selected from S1, and r is randomly selected from S2. The commitment is generated in the manner of C. i ←O(Com||R i ||bits iUpper-layer OR protocols, such as Figure 4 As shown: In order to achieve the security level set by the system security parameters, the basic OR protocol is run multiple times and the distribution of the challenge value c is controlled.

[0127] This invention discloses a traceable ring signature generation method and system based on the same source. It introduces the OR protocol and FS transformation to construct the signature algorithm. While ensuring the correctness and linkability of the traceable ring signature, it also satisfies the functional characteristic of traceability. The system can be effectively instantiated using different security level parameters of CSIDH.

[0128] This invention has advantages such as high security and small signature size. Based on the linkable ring signature, it provides traceability function and can be widely used in many application fields such as blockchain anonymous voting and electronic cash system. It is also resistant to quantum attacks.

[0129] Example 2

[0130] Based on the same inventive concept, this embodiment provides a traceable ring signature system based on common origin, including:

[0131] The key generation module is used to output the public-private key pair for each user based on the input system parameter pp;

[0132] The signature generation module is used to generate a signature value σ for user π based on user π's private key, the system user public key set R, the message to be signed M, and the tag L.

[0133] The signature verification module is used by the signer to verify the correctness of σ′ based on the system user public key set R, the message M′ to be verified, the tag L, and the signature value σ′ to be verified.

[0134] The signature traceability module is used to determine the correlation between two signature pairs based on label L and the two message signature pairs (M1,σ1) and (M2,σ2) under label L.

[0135] Since the system described in Embodiment 2 of this invention is the same system used to implement the traceable ring signature method based on the same origin in Embodiment 1 of this invention, those skilled in the art can understand the specific structure and variations of this system based on the method described in Embodiment 1 of this invention, and therefore will not be repeated here. All systems used in the method of Embodiment 1 of this invention fall within the scope of protection of this invention.

[0136] Example 3

[0137] Based on the same inventive concept, the present invention also provides a computer-readable storage medium having a computer program stored thereon, which, when executed, implements the method described in Embodiment 1.

[0138] Since the computer-readable storage medium described in Embodiment 3 of this invention is the same computer-readable storage medium used in implementing the traceable ring signature method based on the same origin in Embodiment 1 of this invention, those skilled in the art can understand the specific structure and variations of this computer-readable storage medium based on the method described in Embodiment 1 of this invention, and therefore will not be repeated here. All computer-readable storage media used in the method of Embodiment 1 of this invention fall within the scope of protection of this invention.

[0139] Example 4

[0140] Based on the same inventive concept, this application also provides a computer device, including storage, a processor, and a computer program stored in the storage and executable on the processor, wherein the processor executes the program to implement the method in Embodiment 1.

[0141] Since the computer device described in Embodiment 4 of this invention is the same computer device used to implement the traceable ring signature method based on the same origin in Embodiment 1 of this invention, those skilled in the art can understand the specific structure and variations of this computer device based on the method described in Embodiment 1 of this invention, and therefore will not be repeated here. All computer devices used in the method of Embodiment 1 of this invention fall within the scope of protection of this invention.

[0142] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0143] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0144] Although preferred embodiments of the invention have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of the invention.

[0145] Obviously, those skilled in the art can make various modifications and variations to the embodiments of the present invention without departing from the spirit and scope of the embodiments of the present invention. Thus, if these modifications and variations to the embodiments of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention also intends to include these modifications and variations.

Claims

1. A traceable ring signature method based on homology, characterized in that, include: Key generation steps: Based on the input system parameters Output each user's public / private key pair; Signature generation steps: For users According to the user Private key and system user public key set Messages awaiting signature and tags Generate user signature value ; Signature verification steps: The signer uses the system's user public key set. Messages to be verified ,Label and the signature value to be verified ,verify The correctness; Signature traceability steps: based on the label and tags The following two message signature pairs Determine the correlation between two signature pairs; The signature generation steps specifically include: a) Parse the public keys of N users; b) For tags Perform hashing, mapping to Elements in a set ,right Hash the data: Mapped to Elements in a set ,calculate ,calculate ; c) For all ,calculate ; d) Let Running the OR protocol Generate a sequence of commitment values ; e) Generate a sequence of challenge values The challenge value conforms to the distribution. ,Right now The sequence satisfies the following conditions: the number of 0s is K, and the number of 1s is ZK. f) Run the proof subprocess of the OR protocol: Generate response value ; g) Output signature value ; in, For a finite set The elements in symmetric subgroup The elements in Representation of operations , For users private key, For users In finite sets The corresponding element in Hash to a finite set function, For hashing to symmetric subgroups function, For the number of ring members, The salt value is randomly generated. For the challenge value sequence, For response value, For the generated sequence of commitment values, For the signer's calculation process, for Sub-processes.

2. The traceable ring signature method based on homology as described in claim 1, characterized in that, System parameters include , The key generation steps specifically include: a) According to For each user Generate private key: ; b) Generate each user Public key: ; in, For addition group symmetric subgroups , For a finite set The elements in This indicates an assignment operation. For users private key, For users public key, For operation .

3. The traceable ring signature method based on homology as described in claim 1, characterized in that, The signature verification steps specifically include: a) Parse N user public keys and parse their signatures. ; b) Calculation ; c) For all ,calculate ; d) From the signature value System user public key and calculation Restore the commitment sequence ; e) Run the OR protocol verification subprocess: ,when Output accepts and computes , result and signature Challenge sequence If they match, accept the signature; otherwise, reject the signature. in, For a finite set The elements in symmetric subgroup The elements in For hashing to symmetric subgroups function, For the number of ring members, To verify the salt value generated during the process, To verify the sequence of challenge values ​​during the process, To verify the response value during the process, To verify the sequence of commitment values ​​generated, The calculation process for the verifier. for Sub-processes.

4. The traceable ring signature method based on homology as described in claim 1, characterized in that, The signature traceability steps specifically include: a) Parsing from the two signatures ,initialization List; b) Calculation ; c) For all ,calculate , ,run judge Are they equal? , will correspond Save to list ; d) If the table Given N entries, output "link" consisting of two message signature pairs. If they are linked, it means that the same user signed the same message twice; if the table If there is only one public key and the pk is output directly, it indicates that the same user has signed different messages, thus revealing the user's identity; if the table has only one public key, it indicates that the same user has signed different messages. If empty, output "Independent", two message signature pairs. They are independent and unrelated. in, For hashing to symmetric subgroups function, , From the signature , The results obtained from the analysis , They are respectively Elements in the set For a finite set The elements in This function determines whether two labels are identical; it returns 1 if they are identical and 0 otherwise. For a table to record tags, pk is the table. The public key stored in [the database].

5. A traceable ring signature system based on shared origin, characterized in that, Based on the method described in claim 1, it includes: The key generation module is used to generate keys based on input system parameters. Output each user's public / private key pair; The signature generation module is used for user signature generation. According to the user Private key and system user public key set Messages awaiting signature and tags Generate user signature value ; The signature verification module is used by the signer to verify the signature against the system's user public key set. Messages to be verified ,Label and the signature value to be verified ,verify The correctness; The signature traceability module is used to trace signatures based on tags. and tags The following two message signature pairs Determine the correlation between two signature pairs.

6. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the method as described in any one of claims 1 to 4.

7. A computer device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the method as described in any one of claims 1 to 4.