CN103259662A - Novel procuration signature and verification method based on integer factorization problems - Google Patents

Abstract

The invention discloses a novel procuration signature and verification method based on integer factorization problems. The novel procuration signature and verification method based on the integer factorization problems includes the steps: before a network operates, firstly generating personal public keys and private keys by original signature people and procuration signature people, and issuing the public keys; when signature requests are provided, generating authorization letters by the original signature people, and calculating signature authorization based on a chameleon hash function and an ordinary digital signature algorithm, sending the signature authorization to the procuration signature people, carrying out validity verification on the received signature authorization by the procuration signature people, if the signature authorization is effective, generating the procuration signature based on collision property of the chameleon hash function, and digital signature does not need to be carried out on information, when a verifier receives the authorization letters and the procuration signature, firstly, verifying whether the authorization letters are effective or not, after the authorization letters are verified to be effective, and then verifying validity of the procuration signature. According to the application of the novel procuration signature and verification method based on the integer factorization problems, processing efficiency of the procuration signature is high, and the length of the procuration signature is short. The novel procuration signature and verification method based on the integer factorization problems is suitable for environments such as mobile networks and the wireless networks where computing power and network bandwidth are limited.

Description

A kind of new allograph and verification method based on the integer resolution problem

Technical field

The invention belongs to the network security technology field, relate to public key cryptography and digital signature, be specifically related to a kind of new allograph and verification method based on the integer resolution problem.

Background technology

Along with development of computer network with popularize, information security issue also becomes the social concern that common people pay close attention to, and in information world, how to realize authenticating, data integrity and non-repudiation become the emphasis that numerous scholars explore.Digital signature is as the digital substitute of handwritten signature, the natural broad research that has obtained password educational circles.Need based on different application in people's real life, numerous have the digital signature scheme of special purpose to be proposed in succession, and allograph is the important means that solves the signature authorises problem in the digital signature.To be an entity or colony entrust to a kind of behavior that another one entity or colony implement to some the signature rights of oneself to signature authorises, and this mandate is needing the occasion of commission order that important application is arranged such as mobile agent, Distributed Calculation, grid computing and wireless network etc.

In existing allograph method based on the integer resolution problem, adopt the string data mode to realize: original signature people is the certificate of entrustment (PKI that comprises the original signature people to generating at first, allograph people's PKI, the term of validity of authorizing and allograph message etc.) carry out digital signature, obtain signature authorises and (comprise certificate of entrustment, certificate of entrustment is signed) and send to the allograph people, the allograph people utilizes signature authorises and the private key of oneself, message in the certificate of entrustment is carried out digital signature, produce final allograph, and this allograph is made up of to information signature two parts signature authorises and the allograph people of original signature.

During the last ten years, Chinese scholars has been carried out deep research to allograph, has obtained great successes, comprises the discussion to security model, proposes new departure, to the analysis of existing scheme and improvement etc.Yet also there are following problem in the research of allograph and application:

(1) present allograph mostly utilizes bilinearity to designing, and the operand that bilinearity is right is big, and is many to the consumption of computational resource, can't be applied to the computing capability constrained environment;

(2) existing allograph based on the integer resolution problem is the signature authorises of original signature and allograph people two signatures of signature of message to be made of in essence, this makes that final allograph length is long, the transmission of allograph can consume more bandwidth, is not suitable for the limited network environment of bandwidth;

(3) existing several allograph method based on the integer resolution problem proves because rational security model and fail safe are not provided, cause to resist a kind of or two kinds of attacks in outside opponent, malicious agent signer, three types of attacks of malice original signature people, so existing several allograph method based on the integer resolution problem is generally dangerous.

Summary of the invention

Goal of the invention of the present invention is: at the problem of above-mentioned existence, provide the new allograph method based on the integer resolution problem that a kind of processing speed is fast, allograph length is short.

A kind of new allograph method based on the integer resolution problem of the present invention comprises the following steps:

Step 1: generate original signature people's private key, PKI, allograph people's private key, PKI;

Step 2: the allograph people generates interim PKI r according to its private key, PKI₁, and send to the original signature people;

Step 3: original signature people receives interim PKI r₁After, at first generating certificate of entrustment w, this certificate of entrustment w comprises original signature people's PKI, allograph people's PKI, the term of validity of mandate and the message m of allograph, selects integer t more at random₀, based on the cryptographic Hash h of the certificate of entrustment w calculating chameleon hash function that generates₂, and to described cryptographic Hash h₂Carry out digital signature, obtain certificate of entrustment w signature; And by safe lane signature authorises being sent to the allograph people, described signature authorises comprises certificate of entrustment w, certificate of entrustment signature, integer t₀

Step 4: the allograph people carries out validation verification to the signature authorises of receiving, if effectively, then execution in step 5;

Step 5: the allograph people verifies whether the allograph message m meets certificate of entrustment w, if, then:

Private key, PKI according to the allograph people generate interim PKI r₂

According to described interim PKI r₂, based on collision (certificate of entrustment w, the integer t of chameleon hash function₀Chameleon hash functional value and message m, random number t₁The chameleon hash functional value equate, be cryptographic Hash h₂) generation message m random number corresponding t₁

By certificate of entrustment signature, interim PKI r₂, random number t₁Constitute the allograph of message m under certificate of entrustment w.

Realize allograph of the present invention owing to the present invention is based on the collision of chameleon hash function, guaranteeing under the prerequisite that no key is revealed, its processing speed is fast, resource consumption is few, and final allograph is shorter than the length of existing Proxy Signature Scheme based on the integer resolution problem, allograph people of the present invention is based on the collision of chameleon hash function, only need find out the collision of given chameleon hash value (based on the cryptographic Hash of the chameleon hash function of certificate of entrustment w), just can generate allograph, and need not to calculate again signature to message m, shorten the length of existing allograph based on the integer resolution problem, reduced the amount of calculation of allograph generative process; And because the length of allograph of the present invention is short, the bandwidth that its transmission consumes is few, is specially adapted to the signature authorises business of resource-constrained wireless network environment.

Simultaneously, by the generative process of allograph of the present invention as can be known, its allograph has unforgeable, and this has just resisted malicious agent signer's attack; And under the prerequisite of the trapdoor of not knowing chameleon hash function of the present invention (trap door information), original signature people can't forge allograph, and this has just prevented malice original signature people's attack; The attack resource that has because of outside opponent is far fewer than malicious agent signer and malice original signature people, so since the present invention can resist malicious agent signer and malice original signature people's attack, then also can resist outside opponent's attack.

Further, in order to ensure allograph method validation of the present invention fail safe, in step 1, select the p that satisfies condition at random according to security parameter k₀≡ 3mod8, q₀The prime number p of ≡ 7mod8₀, q₀As original signature people's private key, and with p₀, q₀Product n₀As original signature people PKI.

In order further to improve fail safe of the present invention, allograph people's of the present invention private key, PKI can be:

Select two safe prime p at random according to security parameter k₁, q₁Private key for the allograph people; Get p₁, q₁Product be_N1, select the multiplication group of integers

On an integer λ (n₁) the element g on rank, described

Integer

Then with described n₁, g is as allograph people's PKI.

The invention allows for a kind of signature verification method at allograph method of the present invention, comprise the following steps:

Whether the checking message m meets certificate of entrustment w, if not, then stops; Otherwise,

Based on message m, certificate of entrustment w, allograph, and whether allograph people's PKI, original signature people's PKI surveying agent signature is effective.

In sum, owing to adopted technique scheme, the invention has the beneficial effects as follows:

(1) length of allograph of the present invention is short, and the allograph processing speed is fast, and resource consumption is few;

(2) because the length of allograph of the present invention is short, the bandwidth that its transmission consumes is few, is specially adapted to the authorization activities of resource-constrained wireless network environment;

(3) the present invention is because Proxy Signature Scheme can be resisted original signature people's the attack of allograph people, the malice of outside opponent, malice, the theoretical proof fail safe of the present invention of deriving can be foretelling under the machine model stipulations at random to the integer resolution problem, and is safe.

Description of drawings

To illustrate by example and with reference to the mode of accompanying drawing, wherein:

Fig. 1 is allograph process flow diagram of the present invention;

Fig. 2 is that signature authorises of the present invention generates-verify flow chart;

Fig. 3 is that allograph of the present invention generates-verify flow chart.

Embodiment

Disclosed all features in this specification, or the step in disclosed all methods or the process except mutually exclusive feature and/or step, all can make up by any way.

Disclosed arbitrary feature in this specification (comprising any accessory claim, summary and accompanying drawing) is unless special narration all can be replaced by other equivalences or the alternative features with similar purpose.That is, unless special narration, each feature is an example in a series of equivalences or the similar characteristics.

With reference to Fig. 1, specific implementation process of the present invention is as follows:

Process 1, the key of original signature people Alice and allograph people Bob generates

(1.1) before the network operation, Alice selects the p that satisfies condition at random according to security parameter k₀≡ 3mod8 and q₀The prime number p of ≡ 7mod8₀And q₀, i.e. p₀For divided by 8 remainders being arbitrary prime number of 3, q₀For divided by 8 remainders being arbitrary prime number of 7, with p₀And q₀As the long-term private of Alice, and calculate prime number p₀And q₀Product n₀=p₀q₀PKI as Alice;

(1.2) Bob selects two safe prime p at random according to security parameter k₁, q₁And group

On an integer λ (n₁) the element g on rank, the computationally secure prime number p₀And q₀Product n₁=p₁q₁, integer

With the Ka Mixieer function

Select the group then

Last element g.The PKI of Bob and private key are respectively (n₁, g) with (p₁, q₁).

So-called safe prime namely requires the prime number of selection according to security parameter, and security parameter is the security requirement that obtains agreement according to scheme, and a pre-determined parameter of describing fail safe is binary bits how long in order to determine safe prime.Security parameter is made as k among the present invention, and value is generally 512,768,1024 or 2048 etc.

Process 2, original signature people Alice licenses to allograph people Bob with signature capabilities

When Alice has the demand of signature information, but when busier or own need limited in one's ability license to Bob with signature capabilities because of self, the Alice calculating and sending gives its signature authorises to give Bob, and whether Bob mandate of checking Alice earlier before generating allograph is effective.With reference to Fig. 2, being implemented as follows of this process:

(2.1) when Alice need license to Bob with signature capabilities, at first generate certificate of entrustment w, this certificate of entrustment comprises the PKI of Alice, the PKI of Bob, the term of validity of mandate and the message m of allograph etc.;

(2.2) Bob selects temporary private

And calculate interim PKI

Interim PKI r₁Send to Alice;

(2.3) Alice receives interim PKI r₁After, utilize certificate of entrustment w and the private key (p of oneself₀, q₀) generate its signature authorises (w, t₀, s₀, a₀, b₀), and by safe lane signature authorises is sent to Bob; The implementation procedure that Alice generates signature authorises is as follows:

(2.3a) Alice selects integer t at random₀, the hash value of calculating chameleon hash (hash) function:H wherein₂(w, r₁) be to be input as w||r₁Hash function, operation is appended in symbol " || " expression, namely r₁Append after w; Again with hash value h₂The certificate of entrustment w that generates with Alice is as part territory hash function H₁Input, calculating section territory hash value h_w=H₁(h₂, w);

(Partial-Domain Hash, PDH) size that refers to the hash function is a factor of modulus to so-called part territory hash function.Part territory hash function H among the present invention₁: { 0,1}^*→ [h₁, h'₁) and

Can be based on the consequence devised of Gentry, the distortion of the proposition of Gentry sees for details: C.Gentry.How to compress Rabin ciphertexts and signatures.In:Advances in Cryptology Crypto2004, LNCS3152, Springer-Verlag, 2004:179-200.

(2.3b) Alice calculates the Jacobi symbol, determines parameter a by the Jacobi symbol₀And b₀Value:

(2.3c) Alice utilizes the private key (p of oneself₀, q₀) to part territory hash value h_wSign, obtain the signature value:

$s_0\≡\left(2^{-a_0}{h}_w\right)\frac{n_0-p_0-q_0+5}{8}\mathrm{mod}{n}_0$

(2.3d) Alice by safe lane with its signature authorises (w, t₀, s₀, a₀, b₀) send to allograph people Bob.

(2.4) Bob receives signature authorises (w, the t of Alice₀, s₀, a₀, b₀) after, at first utilize certificate of entrustment w to calculate the hash value of chameleon hash function again

, with the hash value

With certificate of entrustment w as part territory hash function H₁Input, calculating section territory hash value$h_w^{*}=h_1(h_2^{*},w)$, formula is verified in check then$s_0^2\≡2^{{-a}_0}2h_w^{*}{(-1)}^{b_0}\mathrm{mod}{n}_0$Whether set up, if the checking formula is set up, represent that then signature authorises is effective, enter process 3; Otherwise signature authorises is invalid.

Process 3, Bob generates allograph

Allograph people Bob verifies at first whether message m meets certificate of entrustment w, if do not meet, then stops, otherwise utilizes message m, the private key (p of oneself₁, q₁) and certificate of entrustment w calculate the allograph σ=(a of message m based on the collision of chameleon hash function₀, b₀, s₀, r₂, t₁).Last Bob sends to the verifier to certificate of entrustment w and allograph σ.With reference to Fig. 3, the specific implementation process that generates allograph σ is as follows:

(3.1) Bob at first checks message m whether to meet certificate of entrustment w, if do not meet, then exports engineering noise and termination; Otherwise, enter step (3.2);

(3.2) Bob selects random value

With temporary private k₁Be updated to k₂, and calculate new interim PKI$r_2\≡g^{k_2}{\mathrm{mod}n}_1;$

(3.3) Bob generates message m random number corresponding t based on the collision of the chameleon hash functional value of certificate of entrustment w and message m₁:

$t_1\≡t_0+(k_2-k_1)+2^{\mathrm{\λ}\left(n_1\right)}(H_2(w,r_1)-H_3(m,r_2))\mathrm{mod}\mathrm{\λ}\left(n_1\right),$

Wherein, t₀In step (2.3a), the integer that Alice selects at random, λ (n₁) be the Ka Mixieer function, by (the p of Bob₁, q₁) determine H₂(w, r₁) refer to be input as message w and interim PKI r₁General hash function, H₃(m, r₂) refer to be input as m||r₂Hash function;

(3.4) allograph of message m under certificate of entrustment w is σ=(a₀, b₀, s₀, r₂, t₁).

Process 4, the verifier verifies the validity of allograph σ

The verifier receives allograph σ=(a of Bob₀, b₀, s₀, r₂, t₁) after, whether surveying agent's signature sigma is the effective allograph of message m under certificate of entrustment w.With reference to Fig. 3, being implemented as follows of this process:

(4.1) verifier at first checks message m whether to meet certificate of entrustment w, if do not meet, then exports engineering noise and termination; Otherwise, enter step (4.2);

(4.2) verifier utilizes allograph σ to calculate chameleon hash function

With the hash valueWith certificate of entrustment w as part territory hash function H₁Input, calculating section territory hash value

(4.3) verifier checks the checking formula

Whether set up, if set up, represent that then allograph is effective; Otherwise allograph is invalid.

The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature or any new combination that discloses in this manual, and the arbitrary new method that discloses or step or any new combination of process.

Claims (7)

Translated fromChinese

1.一种新的基于整数分解问题的代理签名方法，其特征在于，包括下列步骤：1. A new proxy signature method based on integer decomposition problem, is characterized in that, comprises the following steps:步骤1：生成原始签名人的私钥、公钥，代理签名人的私钥、公钥；Step 1: Generate the private key and public key of the original signer, and the private key and public key of the proxy signer;步骤2：代理签名人根据其私钥、公钥生成临时公钥r₁，并发送给原始签名人；Step 2: The proxy signer generates a temporary public key r₁ according to its private key and public key, and sends it to the original signer;步骤3：原始签名人收到临时公钥r₁后，首先生成委托书w，再随机选择整数t₀，基于所生成的委托书w计算变色龙哈希函数的哈希值h₂，并对所述哈希值h₂进行数字签名，得到委托书w签名；并通过安全信道将签名授权发送给代理签名人，所述签名授权包含委托书w、委托书签名、整数t₀；Step 3: After receiving the temporary public key r₁ , the original signer first generates a power of attorney w, then randomly selects an integer t₀ , calculates the hash value h₂ of the chameleon hash function based on the generated power of attorney w, and calculates the The above hash value h₂ is digitally signed to obtain the power of attorney w signature; and the signature authorization is sent to the proxy signer through a secure channel, and the signature authorization includes power of attorney w, power of attorney signature, and integer t₀ ;步骤4：代理签名人对收到的签名授权进行有效性验证，若有效，则执行步骤5；Step 4: The proxy signer verifies the validity of the received signature authorization, and if it is valid, go to Step 5;步骤5：代理签名人验证代理签名消息m是否符合委托书w，若是，则：Step 5: The proxy signer verifies whether the proxy signature message m complies with the power of attorney w, if so, then:根据代理签名人的私钥、公钥生成临时公钥r₂；Generate a temporary public key r₂ according to the private key and public key of the proxy signer;根据所述临时公钥r₂，基于变色龙哈希函数的碰撞生成消息m对应的随机数t₁，所述变色龙哈希函数的碰撞为：委托书w、整数t0的变色龙哈希函数值和消息m、随机数t₁的变色龙哈希函数值相等，均为哈希值h₂；According to the temporary public key r₂ , the random number t₁ corresponding to the message m is generated based on the collision of the chameleon hash function, the collision of the chameleon hash function is: power of attorney w, the chameleon hash function value of the integer t0 and the message The chameleon hash function values of m and random number_t1 are equal, both of which are hash value_h2 ;由委托书签名、临时公钥r₂，随机数t₁构成消息m在委托书w下的代理签名。The signature of the power of attorney, the temporary public key r₂ , and the random number t₁ constitute the proxy signature of the message m under the power of attorney w.2.如权利要求1所述的方法，其特征在于，所述步骤1中，2. the method for claim 1 is characterized in that, in described step 1,根据安全参数k随机选择满足条件p₀≡3mod8、q₀≡7mod8的素数p₀、q₀作为原始签名人的私钥，并将p₀、q₀的乘积n₀作为原始签名人公钥。According to the security parameter k, the prime numbers p₀ and q 0 satisfying the conditions p₀ ≡ 3mod8 and q₀ ≡ 7mod8 are randomly selected as the private key of the original signer, and the product n₀ of p₀ and_{q 0is} used as the public key of the original signer.3.如权利要求1或2所述的方法，其特征在于，所述步骤1中，3. The method according to claim 1 or 2, characterized in that, in the step 1,根据安全参数k随机选择两个素数p₁、q₁为代理签名人的私钥；Randomly select two prime numbers p₁ and q₁ as the private key of the proxy signer according to the security parameter k;取所述p₁、q₁的乘积为n₁，选择乘法整数群

上的一个整数λ(n₁)阶的元素g，所述$\mathrm{\λ}\left(n_1\right)={2p}_1^{*}{q}_1^{*},$整数$p_1^{*}=\frac{p_1-1}{2},$$q_1^{*}=\frac{q_1-1}{2},$则将所述n₁、g作为代理签名人的公钥。Take the product of p₁ and q₁ as n₁ , and select the multiplicative integer group

An element g of order λ(n₁ ) on an integer, the$\mathrm{\λ}\left({\mathrm{no}}_1\right)={2p}_1^{*}{q}_1^{*},$ integer$p_1^{*}=\frac{p_1-1}{2},$$q_1^{*}=\frac{q_1-1}{2},$ Then, the n₁ and g are used as the public key of the proxy signer.4.如权利要求3所述的方法，其特征在于，所述步骤2中，代理签名人从加法整数群

中选择随机数k₁作为临时私钥，并计算临时公钥

4. The method according to claim 3, characterized in that, in said step 2, the proxy signer selects from the additive integer group

Select the random number k₁ as the temporary private key, and calculate the temporary public key

5.如权利要求3所述的方法，其特征在于，步骤3中，得到所述委托书w签名包括下列步骤：5. The method according to claim 3, wherein in step 3, obtaining the power of attorney w signature comprises the following steps:原始签名人根据整数t₀，计算变色龙哈希函数的哈希值，其中H₂(w,r₁)是输入为w||r₁的哈希函数，符号“||”表示追加操作；再将哈希值h₂和委托书w作为部分域哈希函数H₀的输入，得到部分域哈希值h_w=H₁(h₂,w)；The original signer calculates the hash value of the chameleon hash function according to the integer t₀ , where H₂ (w,r₁ ) is a hash function whose input is w||r₁ , and the symbol "||" indicates an append operation; then the hash value h₂ and the power of attorney w are used as the partial domain hash function H₀ input, get partial domain hash value h_w =H₁ (h₂ ,w);原始签名人基于雅克比符号来确定参数a₀和b₀的值：The original signer determines the values of parameters a₀ and b₀ based on the Jacobian sign:

原始签名人基于其私钥(p₀,q₀)对部分域哈希值h_w进行签名，得到签名值s₀：$s_0\≡\left(2^{-a_0}{h}_w\right)\frac{n_0-p_0-q_0+5}{8}\mathrm{mod}{n}_0;$The original signer signs the partial domain hash value h_w based on its private key (p₀ ,q₀ ), and obtains the signature value s₀ :${\mathrm{the\; s}}_0\≡\left(2^{-a_0}{h}_w\right)\frac{{\mathrm{no}}_0-p_0-q_0+5}{8}\mathrm{mod}{\mathrm{no}}_0;$由参数a₀、b₀、s₀构成所述委托书w签名；The power of attorney w signature is composed of parameters a₀ , b₀ , and s₀ ;则所述步骤4中，有效性验证为：Then in the step 4, the validity verification is:代理签名人基于委托书w再次计算变色龙哈希函数的哈希值

将所述哈希值

和委托书w作为部分域哈希函数H₁的输入，计算部分域哈希值$h_h^{*}=H_1(h_2^{*},w),$通过检验验证公式$s_0^2\≡2^{{-a}_0}2h_w^{*}{(-1)}^{b_0}\mathrm{mod}{n}_0$是否成立来完成有效性验证；The proxy signer calculates the hash value of the chameleon hash function again based on the power of attorney w

the hash value

and the power of attorney w as the input of the partial domain hash function H₁ to calculate the partial domain hash value$h_h^{*}=h_1(h_2^{*},w),$ Validate the formula by checking${\mathrm{the\; s}}_0^2\≡2^{{-a}_0}2h_w^{*}{(-1)}^{b_0}\mathrm{mod}{\mathrm{no}}_0$ Whether it is established to complete the validity verification;在所述步骤5中，生成消息m对应的随机数t₁具体为：In the step 5, the random number_t1 corresponding to the generated message m is specifically:代理签名人选择随机数

将临时私钥k₁更新为k₂，生成新的临时公钥$r_2\≡g^{k_2}\mathrm{mod}{n}_1,$则随机数t₁为：The proxy signer chooses the random number

Update the temporary private key k₁ to k₂ to generate a new temporary public key$r_2\&equiv;g^{k_2}\mathrm{mod}{\mathrm{no}}_1,$ Then the random number_t1 is:${\mathrm{<span><span>t</span>t</span>}}_{\mathrm{<span><span>1</span>1</span>}}<span><span>\&equiv;</span>\&equiv;</span>{\mathrm{<span><span>t</span>t</span>}}_{\mathrm{<span><span>0</span>0</span>}}<span><span>+</span>+</span><span><span>(</span>(</span>{\mathrm{<span><span>k</span>k</span>}}_{\mathrm{<span><span>2</span>2</span>}}<span><span>-</span>-</span>{\mathrm{<span><span>k</span>k</span>}}_{\mathrm{<span><span>1</span>1</span>}}<span><span>)</span>)</span><span><span>+</span>+</span>{\mathrm{<span><span>2</span>2</span>}}^{\mathrm{<span><span>\&lambda;</span>\&lambda;</span>}<span><span>(</span>(</span>{\mathrm{<span><span>n</span>no</span>}}_{\mathrm{<span><span>1</span>1</span>}}<span><span>)</span>)</span>}<span><span>(</span>(</span>{\mathrm{<span><span>H</span>h</span>}}_{\mathrm{<span><span>2</span>2</span>}}<span><span>(</span>(</span>\mathrm{<span><span>w</span>w</span>}<span><span>,</span>,</span>{\mathrm{<span><span>r</span>r</span>}}_{\mathrm{<span><span>1</span>1</span>}}<span><span>)</span>)</span><span><span>-</span>-</span>{\mathrm{<span><span>H</span>h</span>}}_{\mathrm{<span><span>3</span>3</span>}}<span><span>(</span>(</span>\mathrm{<span><span>m</span>m</span>}<span><span>,</span>,</span>{\mathrm{<span><span>r</span>r</span>}}_{\mathrm{<span><span>2</span>2</span>}}<span><span>)</span>)</span><span><span>)</span>)</span>\mathrm{<span><span>mod</span>mod</span>}\mathrm{<span><span>\&lambda;</span>\&lambda;</span>}<span><span>(</span>(</span>{\mathrm{<span><span>n</span>no</span>}}_{\mathrm{<span><span>1</span>1</span>}}<span><span>)</span>)</span><span><span>,</span>,</span>$其中H₃(m,r₂)是输入为m||r₂的哈希函数。Where H₃ (m,r₂ ) is a hash function whose input is m||r₂ .6.基于权利要求1的代理签名方法的签名验证方法，其特征在于，包括下列步骤：6. The signature verification method based on the proxy signature method of claim 1, characterized in that, comprising the following steps:验证消息m是否符合委托书w，若否，则终止；否则，Verify whether the message m conforms to the power of attorney w, if not, terminate; otherwise,基于委托书w，代理签名，以及代理签名人的公钥、原始签名人的公钥检验代理签名是否有效。Based on the power of attorney w, the proxy signature, and the public key of the proxy signer and the public key of the original signer, check whether the proxy signature is valid.7.基于权利要求6的代理签名方法的签名验证方法，其特征在于，包括下列步骤：7. The signature verification method based on the proxy signature method of claim 6, characterized in that, comprising the following steps:步骤S1：检验消息m是否符合委托书w，若是，则终止；否则，执行步骤S2；Step S1: Check whether the message m conforms to the power of attorney w, if so, terminate; otherwise, execute step S2;步骤S2：根据消息m、代理签名中的变色龙哈希函数的随机数t₁，以及代理签名人的公钥n₁，g、临时公钥r₂计算变色龙哈希函数

将所述哈希值

和委托书w作为部分域哈希函数H₁的输入，计算部分域哈希值

Step S2: Calculate the chameleon hash function according to the message m, the random number t₁ of the chameleon hash function in the proxy signature, and the public key n₁ of the proxy signer, g, and the temporary public key r₂

the hash value

and the power of attorney w as the input of the partial domain hash function H₁ to calculate the partial domain hash value

再基于原始签名人的公钥n₀和代理签名，检验验证公式

是否成立，若是，则表示代理签名有效；否则，代理签名无效。Then, based on the public key n₀ of the original signer and the proxy signature, verify the verification formula

Whether it is established, if so, it means that the proxy signature is valid; otherwise, the proxy signature is invalid.

Images