A multi-authority publicly accountable identity anonymous authentication method

By designing an anonymous authentication method under multiple authoritative institutions and using digital signatures and zero-knowledge proof schemes to generate labels, the problem of public accountability for anonymous authentication under multiple authoritative institutions is solved, achieving a balance between user anonymity and accountability.

CN116707816BActive Publication Date: 2026-07-03JINAN UNIVERSITY

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
JINAN UNIVERSITY
Filing Date
2023-05-11
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing anonymous identity authentication protocols cannot achieve public accountability under multiple authoritative institutions, and cannot meet users' needs for multiple certificates.

Method used

We design an anonymous authentication method for multiple authoritative institutions based on two digital signature schemes and a non-interactive zero-knowledge proof scheme. By generating link tags and tracking tags, we achieve user anonymity and public accountability.

Benefits of technology

It achieves privacy protection through anonymous user authentication under multiple authoritative institutions, while allowing anyone to publicly hold malicious users accountable, meeting the requirements of multiple certificates and achieving decentralized characteristics.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116707816B_ABST
    Figure CN116707816B_ABST
Patent Text Reader

Abstract

This invention discloses a multi-authority, publicly traceable, anonymous authentication method. The method includes the following steps: generating global parameters based on the public key of a first key pair, a public reference string, a first hash function, and a second hash function; generating the public key of a second key pair as the verification key for an authoritative authority, and using the private key of the second key pair as the signing key; generating a user's key pair; the authoritative authority generating a certificate based on the user's attributes; calculating a link tag based on the first hash function and a tracking tag based on the second hash function; obtaining the link tag, tracking tag, and proof to generate an authentication; verifying the validity of the authentication; checking the linkability of the authentication; obtaining two messages with the same link tag and their authentications, and calculating the user's public key. This invention satisfies the user's need for multiple certificates, achieves anonymous authentication under multiple authoritative authorities, and enables public accountability for users who have authenticated multiple times under multiple authoritative authorities.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of anonymous identity authentication technology, specifically to a multi-authoritative, publicly traceable anonymous identity authentication method. Background Technology

[0002] With the development of network and information technology, identity authentication has become an effective guarantee for secure website login, secure information transmission, and secure data exchange. In the context of cyberspace security, identity authentication and privacy protection have naturally become current research hotspots, and anonymous authentication protocols are gradually gaining widespread attention. On the one hand, privacy-protected identity authentication protocols tend to ensure that user identities are not disclosed, achieving user anonymity, such as ring signatures and anonymous credentials. On the other hand, to prevent malicious users from abusing anonymity, schemes such as group signatures, traceable signatures, and traceable anonymous credentials achieve traceability, allowing trusted authoritative institutions to hold malicious users accountable, thus achieving an effective balance between anonymity and accountability.

[0003] Anonymous authentication protocols ensure users authenticate with verifiers in a privacy-preserving manner. These protocols typically distribute keys or certificates to users through an authoritative structure, fulfilling their identity verification needs. However, most anonymized authentication protocols revolve around a single authoritative authority, failing to address the reality of users possessing multiple certificates. Furthermore, while multi-authoritative anonymized authentication protocols can achieve accountability, they cannot guarantee public accountability. For example, in terms of accountability, multi-authoritative group signatures and traceable multi-authoritative anonymous credentials achieve anonymity and accountability across multiple trusted authorities, but this accountability relies solely on the authoritative authority and cannot further guarantee public accountability that can be exercised by anyone. Conversely, k-times anonymous authentication and publicly linkable and traceable ring signatures guarantee the anonymity of a single authentication, allowing anyone to track users beyond the number of authentications, achieving public accountability but not public accountability across multiple authorities. Therefore, achieving public accountability in multi-authoritative anonymized authentication remains a significant challenge. Summary of the Invention

[0004] To overcome the defects and shortcomings of existing technologies, this invention provides a multi-authoritative, publicly traceable anonymous identity authentication method. This invention realizes a privacy-protected identity authentication mechanism based on multiple authoritative institutions, and allows anyone to hold a malicious user accountable in the event of privacy abuse, further revealing the malicious user's true identity. It meets the user's need for multiple certificates, achieves the purpose of anonymous user authentication under multiple authoritative institutions, and further realizes the characteristics of public traceability while ensuring user privacy.

[0005] To achieve the above objectives, the present invention adopts the following technical solution:

[0006] This invention provides a multi-authoritative, publicly traceable, anonymous identity authentication method, comprising the following steps:

[0007] The first key pair is generated based on the initialization algorithm of the first digital signature scheme, a public reference string is generated based on the initialization algorithm of the non-interactive zero-knowledge proof scheme, a first hash function and a second hash function are set, global parameters are generated based on the public key of the first key pair, the public reference string, the first hash function and the second hash function, and the private key of the first key pair is set as the master private key.

[0008] The initialization algorithm based on the second digital signature scheme generates a second key pair. The public key of the second key pair is used as the verification key of the authoritative institution, and the private key of the second key pair is used as the signing key.

[0009] Generate the user's public and private keys based on a key generation algorithm;

[0010] Define a set of user attributes, and an authoritative organization generates a certificate based on the signature algorithm of the second digital signature scheme according to the user attributes;

[0011] The link tag is calculated based on the first hash function, and the tracking tag is calculated based on the second hash function.

[0012] Proofs are generated using a proof algorithm based on a non-interactive zero-knowledge proof scheme;

[0013] Obtain link tags, tracking tags, and proof to generate authentication;

[0014] The validity of the authentication is verified based on the verification algorithm;

[0015] Get any two messages with the same event identifier and their authentication, and check whether the link tags in the authentications of the two messages are the same based on the linking algorithm.

[0016] Retrieve the two messages with the same link tag and their authentication, calculate the user's private key and corresponding public key based on the tracking algorithm, and output the user's public key.

[0017] As a preferred technical solution, the first digital signature scheme is represented as follows:

[0018] Let D = (D.Init, D.Sign, D.Verify) be the first digital signature scheme, where D.Init(λ) is the initialization algorithm for scheme D, taking the security parameter λ as input and outputting the key pair (dpk). D dsk D ), dpk D It's the public key, dsk DThis is the private key, used to initialize scheme D; D.Sign(m, dsk) D Let be the signature algorithm for scheme D, with input message m and private key dsk. D Generate signature σ D D.Verify(m, σ) is used to generate digital signatures. D dpk D ) is the verification algorithm for scheme D, with input message m and signature σ. D and public key DPK D Output the verification results.

[0019] As a preferred technical solution, the second digital signature scheme is represented as follows:

[0020] Let S = (S.Init, S.Sign, S.Verify) be the second digital signature scheme, where S.Init(λ) is the initialization algorithm for scheme S, taking the security parameter λ as input and outputting the key pair (dpk). S ,dsk S ), dpk S It's the public key, dsk S This is the private key, used to initialize scheme S; S.Sign(m, dsk) S Let ds be the signature algorithm for scheme S, with input message m and private key dsk. S Generate signature σ S S.Verify(m, σ) is used to generate digital signatures. S dpk S ) is the verification algorithm for scheme S, with input message m and signature σ. S and public key DPK S Output the verification results.

[0021] As a preferred technical solution, the non-interactive zero-knowledge proof scheme is expressed as follows:

[0022] Let Z = (Z.Init, Z.ProGen, Z.ProVer) be a zk-SNARK non-interactive zero-knowledge proof scheme, where Z.Init(λ) is the initialization algorithm for scheme Z, taking the security parameter λ as input and outputting the common reference string zpp. Z Z.ProGen(s, w, zpp) is used to initialize the Z scheme. Z () is the proof algorithm for the ZK scheme. Inputs include the declaration s, the secret w, and the public reference string zpp. z Output the proof π, used to generate the proof; Z.ProVer(s,π,zpp) z Let be the verification algorithm for scheme Z, and let be the input declaration s, proof π, and common reference string zpp. ZThe output is 0 or 1, used to verify the proof. If the verification is successful, the output is 1.

[0023] As a preferred technical solution, the global parameter is represented as follows:

[0024] param=(dpk D zpp Z (,H1,H2);

[0025] Where param represents global parameters, dpk D This represents the public key of the first key pair, zpp Z The common reference string is represented by H1 and H2, which represent the first hash function and the second hash function, respectively.

[0026] First hash function H1: (0, 1) * →MS;

[0027] Second hash function H2: (0, 1) * →MS;

[0028] MS defines the message space for the second digital signature scheme.

[0029] As a preferred technical solution, a user attribute set is defined, and multiple authoritative institutions generate certificates based on the user's attributes and the signature algorithm of the second digital signature scheme, specifically as follows:

[0030] The user's attribute set is represented as: Attr = {upk, attr2, ..., attr} n};

[0031] Where upk represents the user's public key, attr n Represents user attributes;

[0032] The i-th one has the second key pair An authoritative organization generates a certificate for a specific attribute, attri, within a user's attribute set, Attr.

[0033] Here, S.Sign represents the signature algorithm of the second digital signature scheme.

[0034] As a preferred technical solution, the link tag is calculated based on the first hash function, and the tracking tag is calculated based on the second hash function, specifically as follows:

[0035] The link label t1 = H1(auid||usk) is calculated using the first hash function;

[0036] The tracking tag t2 = H2(auid||usk||upk) is calculated using the second hash function;

[0037] Here, auid represents the event identifier, usk represents the user's private key, and upk represents the user's public key.

[0038] As a preferred technical solution, a proof algorithm based on a non-interactive zero-knowledge proof scheme is used to generate proofs, specifically including:

[0039] Let s = (M, t1, t2, APK, param) be a declaration, and w = (usk, Attr, δ) be a secret, where the message M = auid||m, and the certificate set δ = {σ1, ..., σ...} n}, the attribute set Attr = {upk, attr2, ..., attr} n}, the set of verification keys from authoritative institutions make Let be an NP language, meaning that for some s, there exists a corresponding w such that upk = f(usk). Given t1 = H1(auid||usk) and t2 = H2(auid||usk||upk) + m·usk, then for NP-hard languages, generate the proof π = Z.ProGen(s, w, zpp). Z );

[0040] Obtain the link tag, tracking tag, and proof, and generate the authentication, represented as authentication τ = (t1, t2, π);

[0041] Where auid represents the event identifier, || represents the concatenation operator, m represents the message payload, ∧ represents the AND concatenation operator, and σ represents the AND concatenation operator. n This refers to the certificate, upk represents the user's public key, usk represents the user's private key, and Attr represents the user's set of attributes. n This represents a specific attribute within a set of user attributes; APK represents a set of verification keys from an authoritative organization. This represents the verification key of a certain authoritative institution, param represents global parameters, t1 represents the link tag, t2 represents the tracking tag, f represents a one-way function, and S.Verify represents the verification algorithm of the second digital signature scheme.

[0042] As a preferred technical solution, obtain any two messages with the same event identifier and their authentication, and check whether the link tags in the authentications of the two messages are equal based on a linking algorithm. Specifically, this includes:

[0043] Retrieve two messages M = auid||m and M′ = auid||m′ with the same event identifier auid. The authentication representations of the two messages are: τ = (t1, t2, π) and τ′ = (t1′, t2′, π′).

[0044] Where τ and τ′ represent the authentications corresponding to the two messages, t1 and t1′ represent the link tags of the authentications corresponding to the two messages, t2 and t2′ represent the tracking tags of the authentications corresponding to the two messages, and π and π′ represent the proofs of the authentications corresponding to the two messages.

[0045] Check if t1 is equal to t1′. If t1 = t1′, output 1 to indicate a link; otherwise, output 0 to indicate no link.

[0046] As a preferred technical solution, the process involves obtaining two messages with the same link tag and their authentication, calculating the user's private key and corresponding public key based on a tracking algorithm, and outputting the user's public key. Specifically, this includes:

[0047] Calculate the user's private key: usk = (t2′-t2) / (m′-m), where usk represents the user's private key, t2 and t2′ represent the authentication tracking tags corresponding to the two messages, and m and m′ represent the payload content of the two messages;

[0048] Calculate the user's public key: upk = f(usk), where f represents a one-way function.

[0049] Compared with the prior art, the present invention has the following advantages and beneficial effects:

[0050] (1) This invention addresses the need for multiple authoritative institutions in the current publicly traceable anonymous authentication scheme. It extends the publicly traceable anonymous authentication protocol of a single authoritative institution to a protocol that supports multiple authoritative institutions, thus meeting the user's need for multiple certificates and achieving the effect of anonymous authentication for users under multiple authorities, thereby achieving the characteristics of decentralization.

[0051] (2) This invention utilizes two digital signature schemes and a non-interactive zero-knowledge proof scheme to design and construct a publicly traceable anonymous authentication scheme under multiple authoritative institutions, thereby achieving the purpose of anonymity and publicly traceable status under multiple authoritative institutions.

[0052] (3) In response to the need for public accountability under multiple authoritative institutions, this invention uses two different hash functions and a non-interactive zero-knowledge proof scheme to design a tag that can guarantee public linkability and public traceability. By using the tag generated by user authentication, it achieves the purpose of allowing anyone to publicly identify the authentication generated by the same user and further track the identity of the corresponding user who has been authenticated more than twice. Attached Figure Description

[0053] Figure 1 This is a flowchart illustrating the multi-authoritative, publicly traceable, and anonymous identity authentication method of the present invention. Detailed Implementation

[0054] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention.

[0055] like Figure 1 As shown, this embodiment provides a multi-authoritative, publicly traceable, anonymous identity authentication method, including the following steps:

[0056] Let D = (D.Init, D.Sign, D.Verify) be the first digital signature scheme, where D.Init(λ) is the initialization algorithm for scheme D, taking the security parameter λ as input and outputting the key pair (dpk). D dsk D ), dpk D It's the public key, dsk D This is the private key, used to initialize scheme D; D.Sign(m, dsk) D Let be the signature algorithm for scheme D, with input message m and private key dsk. D Generate signature σ D D.Verify(m, σ) is used to generate digital signatures. D dpk D ) is the verification algorithm for scheme D, with input message m and signature σ. D and public key DPK d The output is either 0 or 1, used to verify the correctness of the digital signature. If the verification is successful, the output is 1; otherwise, the output is 0.

[0057] Let S = (S.Init, S.Sign, S.Verify) be the second digital signature scheme, where S.Init(λ) is the initialization algorithm for scheme S, taking the security parameter λ as input and outputting the key pair (dpk). S dsk S ), dpk S It's the public key, dsk S This is the private key, used to initialize scheme S; S.Sign(m, dsk) S Let ds be the signature algorithm for scheme S, with input message m and private key dsk. S Generate signature σ S S.Verify(m, σ) is used to generate digital signatures. S dpk S ) is the verification algorithm for scheme S, with input message m and signature σ. Sand public key DPK S The output is either 1 or 0, used to verify the correctness of the digital signature. If the verification is successful, the output is 1; otherwise, the output is 0.

[0058] Let Z = (Z.Init, Z.ProGen, Z.ProVer) be a zk-SNARK non-interactive zero-knowledge proof scheme, where Z.Init(λ) is the initialization algorithm for scheme Z, taking the security parameter λ as input and outputting the common reference string zpp. Z Z.ProGen(s, w, zpp) is used to initialize the Z scheme. Z () is the proof algorithm for the ZK scheme. Inputs include the declaration s, the secret w, and the public reference string zpp. Z Output the proof π, used to generate the proof; Z.ProVer(s,π,zpp) Z Let be the verification algorithm for scheme Z, and let be the input declaration s, proof π, and common reference string zpp. Z The output is 0 or 1, used to verify the proof. If the verification is successful, the output is 1.

[0059] Let f be a one-way function that satisfies upk = f(usk).

[0060] The multi-authoritative, publicly traceable, and anonymous identity authentication method mainly includes eight algorithms: Init (initialization algorithm), AKeyGen (authoritative key generation algorithm), UKeyGen (user key generation algorithm), ASign (user certificate generation algorithm), AuthGen (authentication generation algorithm), AuthVer (verification algorithm), PLink (linking algorithm), and PTrace (tracing algorithm). Specifically, these include:

[0061] (1) Initialization algorithm Init:

[0062] Run D.Init(λ) of the first digital signature scheme D to generate a key pair (dpk). D dsk D );

[0063] Z.Init(λ) of Z, which runs a non-interactive zero-knowledge proof scheme, generates the public reference string zpp. Z ;

[0064] Choose two different hash functions. The first hash function H1: (0, 1) * →MS, Second hash function H2: (0, 1) * →MS, where MS defines the message space of the second digital signature scheme S.

[0065] Output global parameter param = (dpk D zpp ZH1, H2), Master private key msk = dsk D .

[0066] (2) AKeyGen, an authoritative key generation algorithm:

[0067] Run S.Init(λ) of the second digital signature scheme S to generate a key pair (dpk). S dsk S );

[0068] Output verification key dpk S and signing key dsk S .

[0069] (3) User key generation algorithm UKeyGen:

[0070] Choose a private key usk∈MS from the message space and compute the public key upk=f(usk);

[0071] Output key pair (upk, usk).

[0072] (4) User certificate generation algorithm ASign:

[0073] Given a user's attribute set Attr = {upk, attr2, ..., attr} n}, the i-th one has a key pair An authoritative organization calculates a specific attribute `attri` within a user's attribute set `Attr`.

[0074] Output certificate σ i .

[0075] (5) AuthGen authentication generation algorithm:

[0076] Given a message M = auid || m, a user's private key usk, and an attribute set Attr = {upk, attr2, ..., attr} n The certificate set δ = {σ1, ..., σ} n} and the set of verification keys from authoritative institutions Where || represents the concatenation operator, used to connect two characters;

[0077] The link label t1 = H1(auid||usk) is calculated using the first hash function;

[0078] The tracking tag t2 = H2(auid||usk||upk) is calculated using the second hash function;

[0079] Let s = (M, t1, t2, APK, param) be a declaration, and w = (usk, Attr, δ) be a secret;

[0080] Let L = {s = (M, t1, t2, APK, param)}, st{{upk= Let be an NP language, meaning that for some s, there exists a corresponding w such that upk = f(usk). Given t1 = H1(auid||usk) and t2 = H2(auid||usk||upk) + m·usk, then for NP-hard languages, generate the proof π = Z.ProGen(s, w, zpp). Z );

[0081] Output authentication τ = (t1, t2, π).

[0082] Where auid is the event identifier, m is the payload of message M, and ∧ is the AND operator.

[0083] (6) AuthVer verification algorithm:

[0084] Calculate b = Z.ProVer(s, π, zpp) Z ),

[0085] Output b = 0 or 1 to verify the validity of authentication τ. If the Z.ProVer algorithm verifies the authentication, output 1, indicating that the authentication is valid.

[0086] (7) PLink Link Algorithm:

[0087] Given two messages M = auid||m and M′ = auid||m′ with the same event identifier auid, and their corresponding authentications τ = (t1, t2, π) and τ′ = (t1′, t2′, π′), check whether t1 is equal to t1′.

[0088] If t1 = t1′, output 1, indicating a link; otherwise, output 0, indicating no link.

[0089] (8) PTrace tracing algorithm:

[0090] Given two messages whose PLink algorithm output is 1 and their authentications (M, τ) and (M′, τ′), calculate usk = (t2′-t2) / (m′-m);

[0091] Calculate upk = f(usk);

[0092] Output the public key upk.

[0093] Existing publicly traceable anonymous authentication schemes are all designed around a single authoritative institution and cannot achieve a structure with multiple authoritative institutions. This invention addresses the problem that current publicly traceable anonymous authentication schemes cannot support multiple authoritative institutions, and proposes a method, system, and storage medium for publicly traceable anonymous authentication with multiple authoritative institutions. This satisfies users' needs for multiple certificates, achieves the goal of anonymous authentication with multiple authoritative institutions, and further realizes publicly traceable characteristics while ensuring user privacy.

[0094] This invention proposes a multi-authority, publicly traceable, anonymous authentication method, primarily applicable to one-to-many scenarios, i.e., multiple certificate authorities, one verifier, and multiple users. Specifically, the certificate authority runs the Init and AKeyGen algorithms, the user runs the UKeyGen algorithm, the certificate authority runs the ASign algorithm, the user runs the AuthGen algorithm, and the verifier or any other individual runs the AuthVer, PLink, and PTrace algorithms. This invention utilizes multiple certificate authorities, each issuing a certificate for a specific attribute of a user; that is, one certificate authority is responsible for issuing one certificate. The user generates authentication based on multiple certificates issued by multiple authorities, satisfying the user's need for multiple certificates and achieving anonymous authentication under multiple authority structures. While ensuring user privacy, it further realizes the characteristics of public traceability.

[0095] The above embodiments are preferred embodiments of the present invention, but the embodiments of the present invention are not limited to the above embodiments. Any changes, modifications, substitutions, combinations, or simplifications made without departing from the spirit and principle of the present invention shall be considered equivalent substitutions and shall be included within the protection scope of the present invention.

Claims

1. A method for multi-authority publicly accountable identity anonymous authentication, characterized in that, Includes the following steps: An authoritative institution generates a first key pair based on the initialization algorithm of the first digital signature scheme, generates a public reference string based on the initialization algorithm of the non-interactive zero-knowledge proof scheme, sets a first hash function and a second hash function, generates global parameters based on the public key of the first key pair, the public reference string, the first hash function and the second hash function, and sets the private key of the first key pair as the master private key. The authoritative institution generates a second key pair based on the initialization algorithm of the second digital signature scheme. The public key of the second key pair is used as the verification key of the authoritative institution, and the private key of the second key pair is used as the signing key. Users generate their public and private keys based on a key generation algorithm; An authoritative body sets a set of user attributes. The authoritative body generates a certificate based on the signature algorithm of the second digital signature scheme for the user's attributes. There are multiple authoritative bodies, and each authoritative body generates a certificate for a certain attribute of a user. The user calculates the link tag based on the first hash function and the tracking tag based on the second hash function, specifically as follows: Given message , user's private key ; calculating the link tag by a first hash function ; The tracking tag is calculated using the second hash function. ; in, Indicates an event identifier, This represents the user's private key. This represents the user's public key. This represents a connector used to join two characters together. Users generate proofs based on proof algorithms of non-interactive zero-knowledge proof schemes; User-generated authentication, indicated as authentication. ; prove Z.ProGen , , ( ) is the proof algorithm for the Z-scheme, input declaration ,secret and public reference strings Output proof ; make For a statement, For a secret, Represents a user's set of attributes. Represents a set of certificates. This represents the set of verification keys from an authoritative organization; param represents global parameters. Verifiers obtain authentication consisting of link tags, tracking tags, and proofs. ; The verifier verifies the validity of the authentication based on a verification algorithm using a non-interactive zero-knowledge proof scheme. The verifier obtains any two messages with the same event identifier and their authentication, and checks whether the link tags in the authentications of the two messages are the same based on the linking algorithm. The verifier obtains two messages with the same link tag and their authentication, calculates the user's private key and corresponding public key based on the tracking algorithm, and outputs the user's public key.

2. The multi-authoritative, publicly traceable, anonymous identity authentication method according to claim 1, characterized in that, The first digital signature scheme is represented as follows: Let D = (D.Init, D.Sign, D.Verify) be the first digital signature scheme, where D.Init(λ) is the initialization algorithm for scheme D, taking the security parameter λ as input and outputting a key pair ( , ), It is a public key. It is the private key used to initialize scheme D; D.Sign( , () is the signature algorithm for scheme D, and the input message is... and private key Generate signature D.Verify ( is used to generate digital signatures) , , () is the verification algorithm for scheme D, input message ,sign and public key Output the verification results.

3. The multi-authoritative, publicly traceable, anonymous identity authentication method according to claim 1, characterized in that, The second digital signature scheme is represented as follows: Let S = (S.Init, S.Sign, S.Verify) be the second digital signature scheme, where S.Init(λ) is the initialization algorithm for scheme S, taking the security parameter λ as input and outputting a key pair ( , ), It is a public key. It is the private key, used to initialize scheme S; S.Sign( , ( ) is the signature algorithm for scheme S, input message and private key Generate signature S.Verify is used to generate digital signatures. , , ) is the verification algorithm for scheme S, input message ,sign and public key Output the verification results.

4. The multi-authoritative, publicly traceable, anonymous identity authentication method according to claim 1, characterized in that, The non-interactive zero-knowledge proof scheme is expressed as follows: Let Z = (Z.Init, Z.ProGen, Z.ProVer) be a zk-SNARK non-interactive zero-knowledge proof scheme, where Z.Init(λ) is the initialization algorithm for scheme Z, taking the security parameter λ as input and outputting a common reference string. Z.ProGen is used to initialize the Z scheme. , , ( ) is the proof algorithm for the Z-scheme, input declaration ,secret and public reference strings Output proof Z.ProVer is used to generate proofs. , , () is the verification algorithm for scheme Z, input declaration ,prove and public reference strings The output is 0 or 1, used to verify the proof. If the verification is successful, the output is 1.

5. The multi-authoritative, publicly traceable, anonymous identity authentication method according to claim 1, characterized in that, The global parameter is represented as follows: param=( , , , ); Here, param represents global parameters. This represents the public key of the first key pair. Indicates a common reference string. , These represent the first hash function and the second hash function, respectively. First hash function ; Second hash function ; in, The message space for the second digital signature scheme is defined.

6. The multi-authoritative, publicly traceable, anonymous identity authentication method according to claim 1, characterized in that, A user's attribute set is defined, and multiple authoritative institutions generate certificates based on the user's attributes and the signature algorithm of the second digital signature scheme, specifically as follows: The user's attribute set is represented as: ; in, This represents the user's public key. Represents user attributes; No. A pair with a second key ( , The authoritative organization that targets the user's attribute set A certain attribute in Generate certificate ; in, This represents the signature algorithm of the second digital signature scheme.

7. The multi-authoritative, publicly traceable, anonymous identity authentication method according to claim 6, characterized in that, The proof algorithm based on the non-interactive zero-knowledge proof scheme generates proofs, specifically including: make For a statement, For a secret, in which the message Certificate collection Attribute set A set of verification keys from authoritative institutions ,make ; For an NP language, that is, for a certain There exists a corresponding Makes it possible to satisfy simultaneously , , , and ; in, Indicates an event identifier, Indicates a connector. Indicates the message payload content, The AND operator, Indicates a certificate. This represents the user's public key. This represents the user's private key. Represents a user's set of attributes. This represents a specific attribute within a set of user attributes. This represents the set of verification keys from an authoritative organization. This represents the verification key of a specific authoritative institution; param indicates global parameters. Indicates a link tag, Indicates tracking tags, Represents a one-way function. This represents the verification algorithm for the second digital signature scheme.

8. The multi-authoritative, publicly traceable, anonymous identity authentication method according to claim 1, characterized in that, Retrieve any two messages with the same event identifier and their authentications. Based on a linking algorithm, check if the link tags in the authentications of the two messages are equal. Specifically, this includes: Get those with the same event identifier Two messages and The authentication representations for the two messages are as follows: and ; in, and This indicates the authentication corresponding to the two messages. and This indicates the link tags for the authentication of the two messages. and This indicates the tracking tags for the authentication of the two messages. and This indicates the authentication proof corresponding to the two messages; examine Whether or not Equal, if = Output 1 if the link is established, otherwise output 0 if the link is not established.

9. The multi-authoritative, publicly traceable, anonymous identity authentication method according to claim 1, characterized in that, Retrieve two messages with the same link tag and their authentication, calculate the user's private key and corresponding public key based on the tracking algorithm, and output the user's public key, specifically including: Calculate the user's private key: ,in, This represents the user's private key. and This indicates the tracking tags for the authentication of the two messages. and This indicates the payload content of the two messages; Calculate the user's public key: ,in, This represents a one-way function.