A signcryption method with equality test property
By generating keys and embedding timestamp authorization through a signature system, the problem of third parties abusing equality tests is solved, data security and validity control are achieved, and privacy leaks are prevented.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- XIDIAN UNIV
- Filing Date
- 2024-02-28
- Publication Date
- 2026-06-23
AI Technical Summary
In existing technologies, third parties have difficulty effectively controlling authorization when conducting equality tests, which may lead to malicious third parties abusing authorization and causing the risk of privacy leakage of encrypted data.
A public parameter set is generated through a signature system, and keys for the receiver and sender are generated. Using the timestamp authorization function, a third party can conduct an equality test within the validity period. The embedded timestamp controls the validity of the verification tag and prevents malicious abuse.
It improves data security, prevents the leakage of encrypted data privacy, ensures that equality tests are conducted within the validity period, and reduces the risk of malicious third parties abusing authorization.
Smart Images

Figure CN118432822B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of signature verification, and more specifically, to a signature verification method with an equality test property. Background Technology
[0002] Public-key encryption provides confidentiality to cryptographic systems, while digital signatures provide integrity, authentication, and non-repudiation. With the increasing volume of data, more and more individual users and organizations are choosing to outsource data to third parties. To protect data privacy, outsourced data is typically encrypted, requiring third parties to have effective data management methods. Among these methods, the equality test (ET) allows a third party to test whether two ciphertexts were encrypted from the same message without knowing the specific message. Once a recipient authorizes a third party to perform the equality test trapdoor, it is very difficult to revoke such authorization, making it possible for a malicious third party to abuse the authorization, leading to the risk of privacy breaches of encrypted data. Summary of the Invention
[0003] To address the aforementioned problems in the prior art, this invention provides a signature method with an equality test attribute.
[0004] According to a first aspect of the present invention, a signature method having an equality test attribute is provided, the method comprising:
[0005] The signature system obtains the public parameter set pp;
[0006] The signature system generates the first key k for receiver r based on the public parameter set pp. r and the sender's second key k s Wherein, the first key k r Including the first public key PK r and the first private key sk r The second key k s Including the second public key PK s Second private key sk s ;
[0007] The sender s uses the public parameter set pp and the first public key pk. r The second public key pk s The second private key sk s The initial plaintext μ is encrypted using the first timestamp T to obtain the initial ciphertext.
[0008] The sender s uses the initial plaintext μ and the first public key pk. r The initial ciphertext After signing, the final ciphertext ct is obtained and sent to the receiver r;
[0009] After the receiver r receives the final ciphertext ct, it uses the second public key pk. s First private key sk r The initial plaintext μ is obtained from the final ciphertext ct, and the signature e corresponding to the sender s is verified based on the initial plaintext μ and the final ciphertext ct.
[0010] The receiver r is based on the second timestamp and the first private key sk r Generate the second timestamp Corresponding trapdoor Get the second timestamp and the second timestamp Corresponding trapdoor Verification tags and the verification label Send to a third party;
[0011] The third party uses two different verification tags. Given two different final ciphertexts ct, obtain two hash values H(μ) corresponding to the two different final ciphertexts ct respectively. Based on the hash values H(μ) corresponding to the two different final ciphertexts ct, determine whether the two different final ciphertexts ct were obtained by signing the same initial plaintext μ.
[0012] Optionally, the common parameter set Where n is the safety parameter, q is the modulus, and k is the preset parameter. Let m be the dimension of the first matrix, l be the dimension of the second matrix, l be the message length, N be the number of receivers, M be the number of senders, and α, β, σ1, σ2, σ3, s k ,s e For different Gaussian parameters, Let C be the initial plaintext space; matrix C i Represents C0,…,C n The i-th matrix in Represents the set of non-negative integers The selected n×nk dimensional matrix C0,…,C n And for the matrix C0,…,C n Each element in the matrix undergoes a modulo operation modulo q; Represented as from the set of nonnegative integers Select an n×m dimensional matrix A, matrix B, and matrix B', and perform a modulo operation on each element of matrix A and matrix B with the modulus q as the modulus; Represented as from the set of nonnegative integers Selected A matrix B1 of dimension q is formed, and a modulo operation is performed on each element of the matrix B1 modulo q. Represented as from the set of nonnegative integers Select an n×l dimensional matrix U and a matrix U', and perform a modulo operation on each element of the matrix U and the matrix U' with the modulus q as the modulus; Represented as from the set of nonnegative integers Selected The system consists of three matrices A1, A2, and A3, and performs a modulo operation on each element of these matrices using the modulus q; H is a one-way hash function, H1 is a collision-resistant hash function, H2 is a full-rank differential hash function; f is a lattice-based collision-resistant hash function, and F is a pseudo-random function. For from the set of nonnegative integers Select an n-dimensional vector u, and perform a modulo operation on each element of the vector u with the modulus q as the modulus.
[0013] Optionally, the signature system generates a first key k for the receiver r based on the public parameter set pp. r and the sender's second key k s ,include:
[0014] Based on the security parameter n, the modulus q, and the dimension of the first matrix in the public parameter set pp The preset parameter k, the Gaussian parameter σ1, and the Gaussian parameter s k The matrix A and the set of nonnegative integers Generate the first key k for the receiver r r ;
[0015] Based on the security parameter n, the modulus q, and the dimension of the first matrix in the public parameter set pp The preset parameter k, the Gaussian parameter σ1, and the set of non-negative integers Generate the second key k of the sender s s .
[0016] Optionally, the step involves using the security parameter n, the modulus q, and the dimension of the first matrix from the set of public parameters. The preset parameter k, the Gaussian parameter σ1, and the Gaussian parameter s k The matrix A and the set of nonnegative integers Generating the first key for the recipient includes:
[0017] For the receiver r, the TrapGen algorithm is used to extract from the set of non-negative integers. Choose one dimensional matrix And for the matrix Each element in the matrix undergoes a modulo operation modulo q;
[0018] According to the matrix Zhang Cheng's style Obtain the corresponding base Make in, It is the base The Schmitt orthogonalized matrix, It is the Schmitt orthogonalized matrix norm, Representation norm The upper bound is
[0019] Define matrix T' r , making the matrix
[0020] For the receiver r, from the set of nonnegative integers Choose one dimensional matrix And for the matrix Each element in the matrix undergoes a modulo operation modulo q;
[0021] Using Gaussian distribution matrix T r Sum of matrix T” r Let the matrix And let the matrix Wherein, the matrix T r and the matrix T” r All are from the set of non-negative integers Selected from A 3D matrix;
[0022] For the receiver r, a Gaussian distribution is used. The secret item S r and follows a Gaussian distribution The noise term X; wherein, the secret term S rFor from the set of nonnegative integers The selected m×l dimensional matrix, wherein the noise term X is derived from the set of non-negative integers. The selected n×l dimensional matrix;
[0023] According to the secret item S r The noise term X and the matrix A yield matrix B. r ;
[0024] According to the matrix A r The matrix A' r Matrix A and Matrix B r The matrix T r The matrix T' r The matrix T” r and the secret item S r Obtain the first key k r Among them, (A) r ,A' r ,(A,B r )) represents the first public key pk r , (T r ,T' r ,T” r ,S r ) represents the first private key sk r .
[0025] Optionally, the step involves determining the security parameter n, the modulus q, and the dimension of the first matrix from the public parameter set pp. The preset parameter k, the Gaussian parameter σ1, and the set of non-negative integers Generate the second key k of the sender s s ,include:
[0026] For the sender s, from the set of non-negative integers Selected from dimensional matrix sum matrix And for the matrix and the matrix Each element in the matrix undergoes a modulo operation modulo q;
[0027] Using the Gaussian distribution matrix T s And matrix T' s Let the matrix And let the matrix Wherein, the matrix T s and the matrix T s All are from the set of non-negative integers Selected from A dimensional matrix, where matrix G is the tool matrix;
[0028] According to the matrix A s The matrix A' s The matrix T s and the matrix T' s Obtain the second key k s Among them, (A) s ,A' s ) represents the second public key pk s , (T s ,T' s ) represents the second private key sk s .
[0029] Optionally, the sender s determines the sender's method based on the public parameter set pp and the first public key pk. r The second public key pk s The second private key sk s The initial plaintext μ is encrypted using the first timestamp T to obtain the initial ciphertext. include:
[0030] Using Gaussian distribution vector r e sum vector r' e The collision-resistant hash function H1, the lattice-based collision-resistant hash function f, and the matrix The matrix Matrix B, Matrix B', Matrix A s and the matrix A' s , thus obtaining vectors t and t';
[0031] According to the matrix The full-rank differential hash function H2, the vector t, the matrix G, and the matrix T r And the vector t, to obtain matrix A r,t ;
[0032] According to the matrix A' r The matrix The full-rank differential hash function H2, the vector t', the matrix G, and the matrix T” r The matrix A1, matrix A2, matrix A3, matrix B1, and the first timestamp are combined to obtain matrix A'. r,t,T ;
[0033] From the set of nonnegative integers Select n-dimensional secret terms s and s' from the data, and perform a modulo operation modulo q on each element of the secret terms s and s'.
[0034] From the set of nonnegative integers The selected values follow the Gaussian distribution. The m-dimensional noise term x0, from the set of non-negative integers. The selected values follow a Gaussian distribution. of The noise term x'0 of dimension is derived from the set of non-negative integers. The selected values follow a Gaussian distribution. The l-dimensional noise terms x1 and x'1;
[0035] Based on the secret item s, the secret item s', and the matrix A r,t The matrix A' r,t,T The noise term x0, the noise term x'0, the noise term x1, the noise term x'1, the matrix U, and the matrix U' are used to obtain the initial ciphertext.
[0036] Optionally, the step involves the sender s setting the initial plaintext μ and the first public key pk. r The initial ciphertext After signing, the final ciphertext ct is obtained, including:
[0037] The sender s is based on the set of nonnegative integers The selected values follow the Gaussian distribution. The n-dimensional secret term r, from the set of non-negative integers The selected values follow a Gaussian distribution. m-dimensional noise term e ver1 From the set of non-negative integers The selected values follow a Gaussian distribution. The l-dimensional noise term e ver2 The function key k, and the matrix B in the first private key. r The ciphertext of the function (C) is obtained by combining the modulus q. ver ,c ver The function key k is used to encrypt the pseudo-random function F.
[0038] Based on the initial plaintext μ and the first public key pk r The initial ciphertext The pseudo-random function F and the function key k yield a random vector h;
[0039] Based on the random vector h and the matrix C iThe matrix C0 and the second public key pk s Matrix A in s , thus obtaining matrix A s,h ;
[0040] According to the matrix A s,h The second private key sk s Matrix T in s The vector u, the Gaussian parameter σ2, and the sampling function are used to obtain the initial plaintext μ and the first public key pk. r The initial ciphertext The corresponding signature e;
[0041] According to the initial ciphertext The initial plaintext μ and its hash value are encrypted to obtain the hidden ciphertext;
[0042] According to the initial ciphertext The first timestamp T, the function ciphertext (C) ver ,c ver The final ciphertext ct is obtained by hiding the ciphertext and the signature e.
[0043] Optionally, after the receiver r receives the final ciphertext ct, it uses the second public key pk. s First private key sk r The initial plaintext μ is obtained from the final ciphertext ct, and the signature e corresponding to the sender s is verified based on the initial plaintext μ and the final ciphertext ct, including:
[0044] After the receiver r receives the final ciphertext ct, it uses the vector t and the matrix A to... r,t The noise term x0 is obtained by combining the final ciphertext ct.
[0045] Based on the first private key sk r Matrix T in r The matrix A r,t The matrix E is obtained by combining the matrix U and the Gaussian parameter σ2.
[0046] Based on the matrix E, the noise term x0, and the final ciphertext ct, the noisy plaintext v is obtained, and the initial plaintext μ is obtained based on the noisy plaintext v.
[0047] Based on the final ciphertext ct, the modulus q, the initial plaintext μ, the pseudo-random function F, and the first public key pk r The first private key sk r The matrix C i The matrix C0 is used to obtain matrix A'. s,h';
[0048] When matrix A' s,h' Satisfy A' s,h' ·e=umodq, and When the initial plaintext μ is output, it indicates that the signature e corresponding to the sender has been verified;
[0049] When matrix A' s,h' A' is not satisfied s,h' ·e=umodq, or When this occurs, output ⊥ to indicate that the signature e corresponding to the sender s has not been verified.
[0050] Optionally, the receiver r uses a second timestamp. and the first private key sk r Generate the second timestamp Corresponding trapdoor Get the second timestamp and the second timestamp Corresponding trapdoor Verification tags include:
[0051] The receiver r is based on the second timestamp The first private key sk r The matrix The second timestamp is obtained from the matrix A1, matrix A2, matrix A3, matrix B1, and the full-rank differential hash function H2. Corresponding trapdoor
[0052] The receiver r is based on the second timestamp Corresponding trapdoor The result includes the second timestamp. and the second timestamp Corresponding trapdoor Verification tags
[0053] Optionally, the third party may use different verification tags. Given different final ciphertexts ct, obtain hash values H(μ) corresponding to the different final ciphertexts ct. Determine whether the different final ciphertexts ct were obtained by signing the same initial plaintext μ based on the hash values H(μ) corresponding to the different final ciphertexts ct, including:
[0054] The third party uses any two verification tags. and verification labels and the verification label The corresponding final ciphertext ct1 and verification tag The corresponding final ciphertext ct2;
[0055] According to the verification label The hash value H(μ1) corresponding to the initial plaintext μ1 corresponding to the final ciphertext ct1 is obtained from the final ciphertext ct1.
[0056] According to the verification label The hash value H(μ2) corresponding to the initial plaintext μ2 corresponding to the final ciphertext ct2 is obtained from the final ciphertext ct2.
[0057] When the hash value H(μ1) is equal to the hash value H(μ2), it is determined that the initial plaintext μ1 and the initial plaintext μ2 are the same initial plaintext, and the final ciphertext ct1 and the final ciphertext ct2 are treated as the same type;
[0058] When the hash value H(μ1) is not equal to the hash value H(μ2), it is determined that the initial plaintext μ1 and the initial plaintext μ2 are different initial plaintexts, and the final ciphertext ct1 and the final ciphertext ct2 are classified as different classes.
[0059] The technical solutions provided by the embodiments of the present invention may include the following beneficial effects:
[0060] In the above technical solution, a public parameter set pp is obtained; a first key k is generated based on the public parameter set pp. r Second key k s Based on the public parameter set pp and the first public key pk r Second public key pk s Second private key sk s The initial plaintext μ is encrypted using the first timestamp T to obtain the initial ciphertext. For the initial plaintext μ and the first public key pk r Initial ciphertext After signing, the final ciphertext ct is obtained; based on the second public key pk s First private key sk r The initial plaintext μ is obtained from the final ciphertext ct, and the sender's signature e is verified based on the initial plaintext μ and the final ciphertext ct; based on the second timestamp... and the first private key sk r Generate a second timestamp Corresponding trapdoor Get verification label And verify the label Send to a third party; the third party verifies the label. The hash value H(μ) corresponding to the final ciphertext ct is obtained from the initial plaintext μ. Based on the hash value H(μ), it is determined whether different final ciphertexts ct were obtained by signing the same initial plaintext μ. This technical solution adds a timestamp authorization function to the signing scheme, allowing the data owner of the initial plaintext to control the validity of the verification tag used for equality testing by embedding a timestamp. This ensures that third parties performing equality tests can only generate correct test results within the validity period of the verification tag, preventing malicious third parties from abusing authorization, reducing the risk of privacy leaks of encrypted data, and improving data security.
[0061] Other features and advantages of the present invention will be described in detail in the following detailed description section. Attached Figure Description
[0062] The accompanying drawings are provided to further illustrate the invention and form part of the specification. They are used together with the following detailed description to explain the invention, but do not constitute a limitation thereof. In the drawings:
[0063] Figure 1 This is a flowchart illustrating a signature method with an equality test attribute according to an exemplary embodiment. Detailed Implementation
[0064] To facilitate understanding of the present invention, a brief description of the prior art and the inventive concept of the present invention will be provided first.
[0065] To simultaneously achieve public-key encryption and digital signature functionality, a traditional approach is to first sign the message and then encrypt it—a process known as "sign first, then encrypt." However, this method is inefficient. In 1997, scholars proposed a new cryptographic primitive called Digital Signcryption to achieve this functionality. Compared to the "sign first, then encrypt" method, this primitive has lower computational and communication costs.
[0066] With the increasing volume of data, more and more individual users and organizations are choosing to outsource their data to third parties. To protect data privacy, outsourced data is usually encrypted, which requires third parties to have effective data management methods. Among these methods, the equality test (ET) allows third parties to test whether two ciphertexts were encrypted from the same message without knowing the specific message. This enhanced property has been implemented in various public-key encryption schemes (called PKEET), such as those applied to internet-based personal health record systems and secure outsourced database management. Some scholars have proposed a general construction method for PKEET and extended this method from public-key encryption to digital signature encryption, proposing a general construction of a signature encryption scheme (SCET) with equality test properties. SECT also has some real-world applications, such as secure messaging services and the Industrial Internet.
[0067] Once a recipient authorizes a trapdoor for equality testing to a third party, it is difficult to revoke such authorization, potentially leading to abuse by malicious third parties. To provide some control over authorized trapdoors and ensure that equality testing by third parties can only occur within a certain scope, a signature method with equality testing attributes is provided to address the aforementioned technical problems.
[0068] Figure 1 This is a flowchart illustrating a signature method with an equality test property according to an exemplary embodiment, such as... Figure 1 As shown, the method includes the following steps.
[0069] S101, The signature system obtains the public parameter set pp.
[0070] Optionally, the signature encryption system that generates the public parameter set is a public-key cryptosystem. In a public-key cryptosystem, two keys are involved: a public key for encryption and a private key for decryption. The public key is public and can be obtained by anyone, while the private key is kept secret only by the key holder. The public key is used to encrypt the message, and the private key is used to decrypt the ciphertext to ensure the secure transmission and protection of the message. Therefore, the public parameter set is obtained according to the setup algorithm. Where n is the safety parameter, q is the modulus, and k is the preset parameter. Let m be the dimension of the first matrix, l be the dimension of the second matrix, l be the message length, N be the number of receivers, M be the number of senders, and α, β, σ1, σ2, σ3, s be the values of the first matrix and the second matrix. k ,s e For different Gaussian parameters, Let C be the initial plaintext space; matrix C i Represents C0,…,C nThe i-th matrix in Represents the set of non-negative integers A randomly selected n×nk dimensional matrix C0,…,C n Matrix C0,…,C n Let C0,…,C be linearly independent matrices, and for matrices C0,…,C… n Each element in the matrix is subjected to a modulo operation modulo q; Represented as from the set of non-negative integers Select n×m dimensional matrices A, B, and B', and perform a modulo operation with modulus q on each element of matrices A and B. Represented as from the set of non-negative integers Selected A matrix B1 of dimension q is generated, and a modulo operation is performed on each element of matrix B1 modulo q. Represented as from the set of non-negative integers Select an n×l dimensional matrix U and a matrix U', and perform a modulo operation on each element of matrix U and matrix U' with the modulus q as the modulus; Represented as from the set of non-negative integers Selected Given matrices A1, A2, and A3, perform a modulo operation on each element of A1, A2, and A3 modulo q; H is a one-way hash function, H:{0,1}. l →{0,1} l H1 is a collision-resistant hash function. H2 is a full-rank differential hash function. H2 expands an n-dimensional vector m(m') into an n×n matrix H2(m)(H2(m')), satisfying that for different n-dimensional vectors u' and v', H2(u')-H2(v') is full-rank; f is a lattice-based collision-resistant hash function, defined by a random matrix W and a vector x: f W (x): = Wxmodq, where F is a pseudo-random function; From the set of non-negative integers Select an n-dimensional vector u and perform a modulo operation on each element of vector u with the modulus q.
[0071] S102. The signature system generates the first key k for receiver r based on the public parameter set pp. r and the sender's second key k s ; where the first key k r Including the first public key PK r and the first private key sk r The second key k s Including the second public key PK sSecond private key sk s .
[0072] S103, The sender s uses the public parameter set pp and the first public key pk. r Second public key pk s Second private key sk s The initial plaintext μ is encrypted using the first timestamp T to obtain the initial ciphertext.
[0073] It is understandable that the first timestamp T is already embedded in the initial ciphertext. This first timestamp T can be denoted as T = (t1, t2, t3), where t1 represents the year, t2 represents the month, and t3 represents the specific date.
[0074] S104, In the sender s, the initial plaintext μ and the first public key pk are... r Initial ciphertext After signing, the final ciphertext ct is obtained and sent to the receiver r.
[0075] Understandably, the initial ciphertext After signing, the final ciphertext ct is sent to the receiver r. The signature ensures the integrity, authenticity, and sender's identity of the ciphertext. By verifying the signature, the receiver can confirm that the message was indeed sent by a specific sender and has not been tampered with during transmission. This helps prevent message forgery or alteration and ensures the security and trustworthiness of information.
[0076] S105. After the receiver r receives the final ciphertext ct, it uses the second public key pk. s First private key sk r The initial plaintext μ is obtained from the final ciphertext ct, and the signature e corresponding to the sender s is verified based on the initial plaintext μ and the final ciphertext ct.
[0077] S106, Receiver r based on the second timestamp and the first private key sk r Generate a second timestamp Corresponding trapdoor Get the second timestamp Second timestamp Corresponding trapdoor Verification tags And verify the label Send to a third party.
[0078] Understandably, receiver r uses the second timestamp. and the first private key sk r Generate a second timestamp Corresponding trapdoor Trapdoor Embedded second timestamp It is used to restrict third-party authorized access to data, a second timestamp. Only when the included dates match the dates included in the first timestamp T can a third party obtain the hash value corresponding to the initial plaintext; for example, when the first timestamp T is (2024,05,20), the second timestamp... When it is (2024), it means that the receiver r authorizes any third party to obtain the hash value corresponding to the initial plaintext during 2024; when the first timestamp T is (2024, 05, 20), the second timestamp When it is (2024,5,21), it means that the receiver r authorizes the third party to obtain the hash value corresponding to the initial plaintext only during the period from May 21, 2024.
[0079] S107, Third parties use different verification tags Given different final ciphertexts ct, obtain the hash values H(μ) corresponding to the different final ciphertexts ct. Based on the hash values H(μ) corresponding to the different final ciphertexts ct, determine whether the different final ciphertexts ct were obtained by signing the same initial plaintext μ.
[0080] It is understandable that the hash value H(μ) of the same initial plaintext μ is the same, therefore, when a third party verifies different tags... Given different final ciphertexts ct, and obtaining the hash values H(μ) corresponding to each final ciphertext ct, it can be determined whether the different final ciphertexts ct were obtained by signing the same initial plaintext μ.
[0081] Optionally, S102 may include:
[0082] Based on the security parameter n, modulus q, and dimension of the first matrix in the public parameter set pp Preset parameters k, Gaussian parameter σ1, Gaussian parameter s k Matrix A and set of nonnegative integers The first key k for generating receiver r r .
[0083] It is understandable that the first key k is generated using the Key Generation Algorithm (KG). r Second key k s ;
[0084] Specifically, generate the first key k r The steps are as follows:
[0085] Generate data for receiver r using the TrapGen algorithm from the set of non-negative integers. Choose one dimensional matrix And for the matrix Each element in the matrix is subjected to a modulo operation modulo q;
[0086] According to the matrix Zhang Cheng's style Obtain the corresponding base Make in, The symbol ⊥ represents base satisfy It is base The Schmitt orthogonalized matrix, It is a Schmitt orthogonalization matrix norm, Representation norm The upper bound is
[0087] Define matrix T' r , making the matrix
[0088] For receiver r, from the set of nonnegative integers Choose one dimensional matrix And for the matrix Each element in the matrix is subjected to a modulo operation modulo q;
[0089] Using Gaussian distribution matrix T r Sum of matrix T” r Let the matrix Make And let the matrix Make Where I is the identity matrix, and matrix T r Sum of matrix T” r All are from the set of non-negative integers Selected from A 3D matrix;
[0090] For the receiver r, it follows a Gaussian distribution. The secret item S r and follows a Gaussian distribution The noise term X; where the secret term S r From the set of non-negative integers The selected m×l dimensional matrix has a noise term X derived from the set of non-negative integers. The selected n×l dimensional matrix;
[0091] According to the secret item S rThe noise term X and matrix A yield matrix B. r According to the secret item S r And noise term X, calculated to obtain According to the secret item S r An LWE (Learning With Errors) hard problem instance is constructed with the noise term X and embedded into the signature method to ensure the indistinguishable security of this invention;
[0092] According to matrix A r Matrix A' r Matrix A, Matrix B r Matrix T r Matrix T' r Matrix T” r and secret item S r Obtain the first key k r Among them, (A) r ,A' r ,(A,B r )) Represents the first public key pk r , (T r ,T' r ,T” r ,S r ) represents the first private key sk r .
[0093] Based on the security parameter n, modulus q, and dimension of the first matrix in the public parameter set pp Preset parameters k, Gaussian parameters σ1, and the set of nonnegative integers Generate the second key k for sender s s .
[0094] Specifically, for the sender s, from the set of non-negative integers Selected from dimensional matrix sum matrix And for the matrix sum matrix Each element in the matrix is subjected to a modulo operation modulo q;
[0095] Using Gaussian distribution matrix T s And matrix T' s Let the matrix Make And let the matrix Make Wherein, matrix T s Sum matrix T s All are from the set of non-negative integers Selected from A dimensional matrix, where matrix G is the tool matrix;
[0096] According to matrix A s Matrix A' s Matrix T s And matrix T' s Obtain the second key k s Among them, (A) s ,A' s ) represents the second public key pk s , (T s ,T' s ) represents the second private key sk s .
[0097] Optionally, S103 may include:
[0098] Using Gaussian distribution vector r e sum vector r' e Collision-resistant hash function H1, lattice-based collision-resistant hash function f, matrix matrix Matrix B, Matrix B', Matrix A s Sum of matrix A' s , thus obtaining vectors t and t';
[0099] According to the matrix Full-rank differential hash function H2, vector t, matrix G, matrix T r And vector t, to obtain matrix A r,t ;
[0100] According to matrix A' r ,matrix Full-rank differential hash function H2, vector t', matrix G, matrix T” r Given matrices A1, A2, A3, B1, and the first timestamp, we obtain matrix A'. r,t,T ;
[0101] From the set of nonnegative integers Select n-dimensional secret terms s and s' from the data, and perform a modulo operation modulo q on each element of secret terms s and s'.
[0102] From the set of nonnegative integers The selected values follow a Gaussian distribution. The m-dimensional noise term x0 is derived from the set of non-negative integers. The selected values follow a Gaussian distribution. of The noise term x'0 of dimension is derived from the set of non-negative integers. The selected values follow a Gaussian distribution. The l-dimensional noise terms x1 and x'1;
[0103] Based on secret term s, secret term s', and matrix A r,t Matrix A' r,t,T Noise term x0, noise term x'0, noise term x1, noise term x'1, matrix U, and matrix U' are used to obtain the initial ciphertext.
[0104] Understandably, according to the Signcrypt algorithm (SC), the public key pk is input to the receiver r. r =(A r ,A' r ,(A,B r )) and the sender's private key sk s =(T s ,T' s ), initial plaintext Given a date stamp T = (t1, t2, t3), perform the following operations:
[0105] from The selected values follow a Gaussian distribution. vector r e sum vector r' e Based on the collision-resistant hash function H1, the lattice-based collision-resistant hash function f, and the matrix matrix Matrix B, Matrix B', Matrix A s Sum of matrix A' s ,calculate and We obtain vectors t and t'; vector r e Vector r' e The selection of vectors t and t' ensures that for the same receiver r and sender s, different initial plaintexts μ will have different values. The construction of vectors t and t' ensures that they have different values for different receivers, senders, and initial plaintexts, effectively preventing the leakage of information from the initial plaintext.
[0106] matrix Among them, the sender's second private key sk s Matrix T in r As matrix A r,t The trapdoor, satisfying matrix Among them, the sender's second private key sk s In matrix T” r As matrix A' r,t,T The trapdoor is set up, and the first timestamp T = (t1, t2, t3) is embedded into matrix A'. r,t,T and satisfy
[0107] From the set of nonnegative integers Select n-dimensional secret terms s and s' from the set of non-negative integers, and perform a modulo operation modulo q on each element of secret terms s and s'; The selected values follow a Gaussian distribution. The m-dimensional noise term x0 is derived from the set of non-negative integers. The selected values follow a Gaussian distribution. of The noise term x'0 of dimension is derived from the set of non-negative integers. The selected values follow a Gaussian distribution. The l-dimensional noise terms x1 and x'1; select the secret term and noise term to construct an instance of the LWE difficult problem;
[0108] Then c'0=(s') t A' r,t,T +(x'0) t , Based on the aforementioned secret and noise terms, an instance of the LWE hard problem is constructed, such that the indistinguishability security and one-way security of chosen-plaintext attacks can be reduced to the LWE hard problem; where, This represents the transpose of vector x1, and the rest are similar in form, so they will not be repeated here.
[0109] Based on secret term s, secret term s', and matrix A r,t Matrix A' r,t,T Noise term x0, noise term x'0, noise term x1, noise term x'1, matrix U, and matrix U' are used to obtain the initial ciphertext.
[0110] Optionally, S104 may include:
[0111] The sender s is based on the set of non-negative integers The selected values follow a Gaussian distribution. The n-dimensional secret term r, from the set of non-negative integers The selected values follow a Gaussian distribution. m-dimensional noise term e ver1 From the set of non-negative integers The selected values follow a Gaussian distribution. The l-dimensional noise term e ver2 Function key k, matrix B in the first private key r The function ciphertext (C) is obtained by modulo q. ver ,c ver ); where the function key k is used to encrypt the pseudo-random function F;
[0112] Based on the initial plaintext μ and the first public key pk r Initial ciphertext The pseudo-random function F and the function key k produce a random vector h;
[0113] Based on the random vector h and matrix C i Matrix C0 and the second public key pk s Matrix A in s , thus obtaining matrix A s,h ;
[0114] According to matrix A s,h Second private key sk s Matrix T in s The vector u, Gaussian parameters σ², and sampling function are used to obtain the initial plaintext μ and the first public key pk. r Initial ciphertext The corresponding signature e;
[0115] According to the initial ciphertext The hidden ciphertext is obtained by encrypting the initial plaintext μ and its hash value.
[0116] According to the initial ciphertext First timestamp T, function ciphertext (C) ver ,c ver ), hide the ciphertext and signature e to obtain the final ciphertext ct.
[0117] It is understandable that uniformly randomized key spaces {0,1} are drawn from the pseudo-random function F. l Choose the function key k, and reconstruct the LWE hard problem instance from the set of non-negative integers. The selected values follow a Gaussian distribution. The n-dimensional secret term r, from the set of non-negative integers The selected values follow a Gaussian distribution. m-dimensional noise term e ver1 From the set of non-negative integers The selected values follow a Gaussian distribution. The l-dimensional noise term e ver2 Then, based on matrix B in the first private key r The ciphertext of the function is obtained from the modulus q. Embedding a public-key encryption algorithm within a signature cryptography (SC) algorithm ensures that only those with the private key S can access the encryption. r Only the receiver r can decrypt the ciphertext of the function (C). ver ,c ver ), thus obtaining the function key k of the encrypted pseudo-random function F;
[0118] Calculate vectors A pseudo-random function F is used to compute a vector h, making the vector h appear random and independent of the initial plaintext μ; a matrix is constructed. This makes the signature 'e' more difficult to forge;
[0119] According to matrix A s,h Second private key sk s Matrix T in s Given the vector u, Gaussian parameters σ², and sampling function, we obtain the signature e←SampleD(T). s A s,h The preimage sampling function SampleD is called, and the sampling follows a Gaussian distribution. The vector e is used as The signature satisfies A s,h ·e=u, which makes the existence and unforgeability of the solution reducible to the SIS (Short Integer Solution) problem;
[0120] The initial plaintext μ and its corresponding hash value H(μ) are hidden to obtain the hidden ciphertext. and hidden ciphertext
[0121] According to the initial ciphertext First timestamp T, function ciphertext (C) ver ,c ver The final ciphertext ct = (c0, c1, r) is obtained by hiding the ciphertext and the signature e. e ,c'0,c'1,r' e ,e,(C ver ,c ver ),T).
[0122] Optionally, S105 may include:
[0123] After receiver r receives the final ciphertext ct, based on vector t and matrix A r,t The noise term x0 is obtained by combining the final ciphertext ct.
[0124] Based on the first private key sk r Matrix T in r Matrix A r,t From matrix U and Gaussian parameter σ², we obtain matrix E;
[0125] Based on matrix E, noise term x0, and final ciphertext ct, the noisy plaintext v is obtained, and the initial plaintext μ is obtained based on the noisy plaintext v.
[0126] Based on the final ciphertext ct, modulus q, initial plaintext μ, pseudo-random function F, and first public key pk r First private key sk rMatrix C i From matrix C0, we obtain matrix A' s,h' ;
[0127] When matrix A' s,h' Satisfy A' s,h' ·e=umodq, and At that time, the initial plaintext μ is output to indicate that the sender's signature e has been verified;
[0128] When matrix A' s,h' A' is not satisfied s,h' ·e=umodq, or When the time is right, output ⊥ to indicate that the signature e corresponding to the sender s has not been verified.
[0129] It is understandable that step S104 is the angle of the sender s, and step S105 is the angle of the receiver r. Therefore, after receiving the final ciphertext ct, the unsigned cryptography algorithm (USC) is used to first calculate the vector. sum matrix Then, based on the Invert algorithm, through matrix T... r Calculate LWE instances The secret value s and the noise term x0 are obtained by (s,x0)←Invert(T) r A r,t ,c0); then based on the first private key sk r Matrix T in r Matrix A r,t Given matrix U and Gaussian parameter σ², we obtain matrix E, specifically represented as E←SampleD(T) r A r,t ,U,σ2), where A r,t E = U; then calculate the plaintext with noise. The initial plaintext μ after decryption is obtained by modulo operation of vmodq;
[0130] To verify the signature e in the final ciphertext ct, first calculate based on the initial plaintext μ. and Let the initial ciphertext Based on the final ciphertext ct, calculate the function key k' = c. ver -C ver S r For the function key k', if the function key k' is greater than... If the function key k' is closer to 0, then the function key k' is 0; if the function key k' is closer to 0 than 0, then the function key k' is 0. The further away from 0, the function key k' becomes 1; based on the above, the vector is obtained. And obtain the matrix If A' is satisfieds,h ·e=umodq and If the verification passes, the initial plaintext μ is output; otherwise, the verification fails, and ⊥ is output.
[0131] Optionally, S106 may include: receiver r based on the second timestamp First private key sk r ,matrix Matrix A1, matrix A2, matrix A3, matrix B1, and full-rank differential hash function H2 are used to obtain the second timestamp. Corresponding trapdoor
[0132] Receiver r based on the second timestamp Corresponding trapdoor Get the second timestamp Second timestamp Corresponding trapdoor Verification tags
[0133] It is understandable that the algorithm (Tag) used to generate an equality test trapdoor is used to obtain the verification tag.
[0134] Second timestamp ρ = 1, 2, 3, representing the second timestamp May include year years and month Or year month and date Perform the following operations:
[0135] If ρ = 1, Year Embedded trapdoor In the SampleBasisLeft algorithm, the sampling trapdoor is used. The specific method is to ensure that the distribution of the trapdoors follows a Gaussian distribution with parameter σ3. After that, matrix Trapdoor satisfy
[0136] If ρ = 2, Year and month Embedded trapdoor In the SampleBasisLeft algorithm, the sampling trapdoor is used. The specific method is to ensure that the distribution of the trapdoors follows a Gaussian distribution with parameter σ3. After that, matrix Trapdoor satisfy
[0137] If ρ = 3, Year month and date Embedded trapdoor In the SampleBasisLeft algorithm, the sampling trapdoor is used. The specific method is to ensure that the distribution of the trapdoors follows a Gaussian distribution with parameter σ3. After that, matrix Trapdoor satisfy
[0138] Based on the specific circumstances described above, the corresponding verification tags are obtained.
[0139] Optionally, S107 may include:
[0140] The third party uses any two verification tags and verification labels and verification labels The corresponding final ciphertext ct1 and verification tag The corresponding final ciphertext ct2;
[0141] According to the verification label The hash value H(μ1) corresponding to the initial plaintext μ1 is obtained by combining the final ciphertext ct1 with the final ciphertext ct1.
[0142] According to the verification label The hash value H(μ2) corresponding to the initial plaintext μ2 is obtained from the final ciphertext ct2;
[0143] When the hash value H(μ1) equals the hash value H(μ2), the initial plaintext μ1 and the initial plaintext μ2 are determined to be the same initial plaintext, and the final ciphertext ct1 and the final ciphertext ct2 are treated as the same type;
[0144] When the hash value H(μ1) is not equal to the hash value H(μ2), the initial plaintext μ1 and the initial plaintext μ2 are determined to be different initial plaintexts, and the final ciphertext ct1 and the final ciphertext ct2 are classified as different classes.
[0145] Understandably, the algorithm used for equality testing (Test) is to input the verification tag received by the third party. And the encrypted ct1, and the tag and ciphertext ct2, where, Perform the following operations:
[0146] calculate
[0147] If ρ1 = 1, set up Then calculate set up The trapdoor is obtained using the Tag algorithm. The date t of the first timestamp 3,1 and monthly quantity t 2,1 Embedded trapdoor (in the middle), then calculate set up Then F τ,1 ·sk τ,1 =U'1.
[0148] If ρ1 = 2, set up The trapdoor is obtained using the Tag algorithm. The date t of the first timestamp 3,1 Embedded trapdoor (in Chinese), then calculate set up Then F τ,1 ·sk τ,1 =U'1.
[0149] If ρ1 = 3, set up Then F τ,1 ·sk τ,1 =U'1.
[0150] calculate:
[0151]
[0152] Obtain the initial plaintext v'1 with noise; calculate the initial plaintext H(μ1) using v'1 mod q, and similarly obtain the initial plaintext H(μ2); if H(μ1) = H(μ2), output 1, determine that the initial plaintext μ1 and initial plaintext μ2 are the same initial plaintext, and classify the final ciphertext ct1 and final ciphertext ct2 as the same class; if H(μ1) ≠ H(μ2), output 0, determine that the initial plaintext μ1 and initial plaintext μ2 are different initial plaintexts, and classify the final ciphertext ct1 and final ciphertext ct2 as different classes.
[0153] In the aforementioned technical solution, a datest-based authorization mechanism for signature encryption schemes with equality testing attributes is selected, which features indistinguishable security under plaintext attacks, one-way security under plaintext attacks, and strong existence and unforgeability security. This enhances security and provides a timestamp authorization function for signature encryption schemes with equality testing attributes. This function allows data owners to control the validity of trapdoors used for equality testing by embedding datestamps, ensuring that third parties performing equality tests can only generate correct test results within the trapdoor's validity period.
[0154] The preferred embodiments of the present invention have been described in detail above with reference to the accompanying drawings. However, the present invention is not limited to the specific details of the above embodiments. Within the scope of the technical concept of the present invention, various simple modifications can be made to the technical solution of the present invention, and these simple modifications all fall within the protection scope of the present invention.
[0155] It should also be noted that the various specific technical features described in the above specific embodiments can be combined in any suitable manner without contradiction. In order to avoid unnecessary repetition, the present invention will not describe the various possible combinations separately.
[0156] Furthermore, various different embodiments of the present invention can be combined in any way, as long as they do not violate the spirit of the present invention, they should also be regarded as the content disclosed by the present invention.
Claims
1. A signature method with an equality test property, characterized in that, The method includes: The signature system obtains the set of public parameters. The common parameter set ;in, For safety parameters, For modulus, These are preset parameters. Let be the dimension of the first matrix. The dimension of the second matrix is... For message length, For the number of recipients, For the number of senders, For different Gaussian parameters, For the initial plaintext space; matrix express The first in matrix, Represents the set of non-negative integers Selected dimensional matrix and the matrix Each element in is processed using the modulus. Modulo operation; Represented as from the set of nonnegative integers Selected dimensional matrix ,matrix sum matrix and the matrix and the matrix Each element in is processed using the modulus. Modulo operation; Represented as from the set of nonnegative integers Selected dimensional matrix and the matrix Each element in is processed using the modulus. Modulo operation; Represented as from the set of nonnegative integers Selected dimensional matrix sum matrix and the matrix and the matrix Each element in is processed using the modulus. Modulo operation; Represented as from the set of nonnegative integers Selected dimensional matrix ,matrix sum matrix and the matrix The matrix and the matrix Each element in is processed using the modulus. Modulo operation; For a one-way hash function, For collision-resistant hash functions, A full-rank differential encoding hash function; For lattice-based collision-resistant hash functions, It is a pseudo-random function; For from the set of nonnegative integers Selected dimensional vector and for the vector Each element in is processed using the modulus. Modulo operation; The signature system is based on the set of public parameters. Generate receiver First key and sender The second key The first key Including the first public key and the first private key The second key Including the second public key Second private key ; The sender According to the set of common parameters The first public key The second public key The second private key and first timestamp For the initial plaintext Encryption is performed to obtain the initial ciphertext. ; In the sender For the initial plaintext The first public key The initial ciphertext After signing, the final ciphertext is obtained. and the final ciphertext Send to the recipient ; In the recipient Received the final ciphertext Then, based on the second public key First private key and the final ciphertext The initial plaintext is obtained and according to the initial plaintext and the final ciphertext Verify the sender Corresponding signature ; The recipient According to the second timestamp and the first private key Generate the second timestamp Corresponding trapdoor , to obtain the second timestamp and the second timestamp Corresponding trapdoor Verification tags and the verification label Send to a third party; The third party uses different verification tags And different final ciphertexts Different final ciphertexts are obtained. The corresponding hash values According to different final ciphertexts The corresponding hash values Determine the difference in the final ciphertext Whether from the same initial plaintext Obtained through signature.
2. The signature method with equality test attribute according to claim 1, characterized in that, The signature system is based on the set of public parameters. Generate receiver First key and sender The second key ,include: According to the set of common parameters The security parameters mentioned in The module The dimension of the first matrix The preset parameters The Gaussian parameters The Gaussian parameters The matrix and the set of nonnegative integers Generate the receiver First key ; According to the set of common parameters The security parameters mentioned in The module The dimension of the first matrix The preset parameters The Gaussian parameters and the set of nonnegative integers Generate the sender The second key .
3. The signature method with equality test attribute according to claim 2, characterized in that, The security parameters based on the set of public parameters The module The dimension of the first matrix The preset parameters The Gaussian parameters The Gaussian parameters The matrix and the set of nonnegative integers Generating the first key for the recipient includes: For the recipient Using the TrapGen algorithm from the set of non-negative integers Choose one dimensional matrix and the matrix Each element in is processed using the modulus. Modulo operation; According to the matrix Zhang Cheng's style Obtain the corresponding base , making ;in, , It is the base The Schmitt orthogonalized matrix, It is the Schmitt orthogonalized matrix norm, Representation norm The upper bound is ; Define matrix , making the matrix ; For the recipient From the set of non-negative integers Choose one dimensional matrix and the matrix Each element in is processed using the modulus. Modulo operation; Using Gaussian distribution matrix sum matrix Let the matrix And let the matrix ; wherein, the matrix and the matrix All are from the set of non-negative integers Selected from A 3D matrix; For the recipient Using a Gaussian distribution The secret item and follows a Gaussian distribution noise item ; wherein, the secret item For from the set of nonnegative integers Selected A dimensional matrix, the noise term For from the set of nonnegative integers Selected A 3D matrix; According to the secret item The noise item and the matrix Obtain the matrix ; According to the matrix The matrix The matrix The matrix The matrix The matrix The matrix and the secret item Obtain the first key ;in, Characterizing the first public key , Characterizing the first private key .
4. The signature method with equality test attribute according to claim 3, characterized in that, According to the set of common parameters The security parameters mentioned in The module The dimension of the first matrix The preset parameters The Gaussian parameters and the set of nonnegative integers Generate the sender The second key ,include: For the sender From the set of non-negative integers Selected from dimensional matrix sum matrix and the matrix and the matrix Each element in is processed using the modulus. Modulo operation; Using the Gaussian distribution matrix sum matrix Let the matrix And let the matrix ; wherein, the matrix and the matrix All are from the set of non-negative integers Selected from 3D matrix, matrix For the tool matrix; According to the matrix The matrix The matrix and the matrix Obtain the second key ;in, Characterizing the second public key , Characterizing the second private key .
5. The signature method with equality test attribute according to claim 4, characterized in that, The sender According to the set of common parameters The first public key The second public key The second private key and first timestamp For the initial plaintext Encryption is performed to obtain the initial ciphertext. ,include: Using Gaussian distribution vector sum vector The anti-collision hash function Lattice-based collision-resistant hash functions The matrix The matrix The matrix The matrix The matrix and the matrix , to obtain vector sum vector ; According to the matrix The full-rank differential encoding hash function The vector The matrix The matrix and the vector , to obtain the matrix ; According to the matrix The matrix The full-rank differential encoding hash function The vector The matrix The matrix The matrix The matrix The matrix ,matrix Combined with the first timestamp, a matrix is obtained. ; From the set of nonnegative integers Selected from Dimensional Secrets and secret items and the secret item and the secret item Each element in is processed using the modulus. Modulo operation; From the set of nonnegative integers The selected values follow the Gaussian distribution. of noise term of dimension From the set of non-negative integers The selected values follow a Gaussian distribution. of noise term of dimension From the set of non-negative integers The selected values follow a Gaussian distribution. of noise term of dimension and noise terms ; According to the secret item The secret item The matrix The matrix The noise item The noise item The noise item The noise item The matrix and the matrix The initial ciphertext is obtained. .
6. The signature method with equality test attribute according to claim 5, characterized in that, The sender For the initial plaintext The first public key The initial ciphertext After signing, the final ciphertext is obtained. ,include: The sender According to the set of nonnegative integers The selected values follow the Gaussian distribution. of Dimensional Secrets From the set of non-negative integers The selected values follow a Gaussian distribution. of noise term of dimension From the set of non-negative integers The selected values follow a Gaussian distribution. of noise term of dimension Function key The matrix in the first private key and the modulus Obtain the function ciphertext ; wherein, the function key Used for the pseudo-random function Encrypt; According to the initial plaintext The first public key The initial ciphertext The pseudo-random function and function key Obtain random vectors ; According to the random vector The matrix The matrix and the second public key Matrix in , to obtain the matrix ; According to the matrix The second private key Matrix in The vector The Gaussian parameters The initial plaintext is obtained by the sampling function. The first public key The initial ciphertext Corresponding signature ; According to the initial ciphertext For the initial plaintext and the initial plaintext The hash value is encrypted to obtain the hidden ciphertext; According to the initial ciphertext The first timestamp The function ciphertext The hidden ciphertext and the signature Obtain the final ciphertext .
7. The signature method with equality test attribute according to claim 6, characterized in that, The recipient Received the final ciphertext Then, based on the second public key First private key and the final ciphertext The initial plaintext is obtained and according to the initial plaintext and the final ciphertext Verify the sender Corresponding signature ,include: In the recipient Received the final ciphertext Then, based on the vector The matrix and the final ciphertext The noise term is obtained ; Based on the first private key Matrix in The matrix The matrix and Gaussian parameters , to obtain the matrix ; According to the matrix The noise item and the final ciphertext Obtain noisy plaintext And according to the noisy plaintext The initial plaintext is obtained ; According to the final ciphertext The module The initial plaintext The pseudo-random function The first public key The first private key The matrix The matrix , to obtain the matrix ; When matrix satisfy ,and At that time, output the initial plaintext. To characterize the signature corresponding to the sender. Verification passed; When matrix Not satisfied ,or When, output To characterize the sender Corresponding signature Verification failed.
8. The signature method with equality test attribute according to claim 3, characterized in that, The recipient According to the second timestamp and the first private key Generate the second timestamp Corresponding trapdoor , to obtain the second timestamp and the second timestamp Corresponding trapdoor Verification tags ,include: The recipient According to the second timestamp The first private key The matrix The matrix The matrix The matrix The matrix and the full-rank differential encoding hash function The second timestamp is obtained. Corresponding trapdoor ; The recipient According to the second timestamp The trapdoor Get the second timestamp and the second timestamp Corresponding trapdoor Verification tags .
9. The signature method with equality test attribute according to claim 3, characterized in that, The third party uses different verification tags And different final ciphertexts Different final ciphertexts are obtained. The corresponding hash values According to different final ciphertexts The corresponding hash values Determine the difference in the final ciphertext Whether from the same initial plaintext The signature is obtained, including: The third party verifies the label. and verification labels The corresponding final ciphertext The final ciphertext is obtained. Corresponding initial plaintext corresponding hash value ; The third party verifies the label. and verification labels The corresponding final ciphertext The final ciphertext is obtained. Corresponding initial plaintext corresponding hash value ; When the hash value Equal to the hash value When, determine the initial plaintext and the initial plaintext For the same initial plaintext, and the final ciphertext and the final ciphertext As of the same kind; When the hash value Not equal to the hash value When, determine the initial plaintext and the initial plaintext For different initial plaintexts, and the final ciphertext and the final ciphertext As different classes.