基于JPBC的無證書聚合簽名方案實(shí)現(xiàn)

摘要

一開始簽名方案是基于PKI的，無證書簽名起源于 基于身份密碼體制， 2009 年第一篇無證書簽名方案1被提出，隨后出現(xiàn)了一些列方案2,3;包括無配對(duì)的無證書聚合簽名方案4,更多內(nèi)容參考文獻(xiàn)5.

暫時(shí)沒有看見無證書聚合簽名方案實(shí)現(xiàn)相關(guān)的代碼，本文基于JPBC庫實(shí)現(xiàn)，使用方法可以參考B站視頻。也可以使用C++和PBC庫實(shí)現(xiàn)。

方案概述

本文方案是基于論文3描述的。

Setup：
給定安全參數(shù) $\kappa \in Z$，KGC選擇兩個(gè)循環(huán)群 $G_1$ 、$G_2$，其階均為素?cái)?shù) $q$ ， $G_1$ 的生成元$P$，計(jì)算可接受的配對(duì) $e:G_1\times G_1\to G_2$ 。 KGC 隨機(jī)選擇主密鑰 $s\in Z_q^{?}$ ，設(shè)置 $P_{pub}=sP$ ，選擇加密哈希函數(shù) H 1 : { 0 , 1 } ? → G 1 H_1:\{0,1\}^\ast→G_1 H1?:{0,1}?→G1? , H 2 : { 0 , 1 } ? → G 1 H_2:\{0,1\}^\ast→G_1 H2?:{0,1}?→G1?, H 3 : { 0 , 1 } ? → Z q ? H_3:\{0,1\}^\ast→Z_q^\ast H3?:{0,1}?→Zq??. 系統(tǒng)參數(shù)為 { q , G 1 , G 2 , e , P , P p u b , H 1 , H 2 , H 3 } \{q,G_1,G_2,e,P,P_{pub},H_1,H_2,H_3 \} {q,G1?,G2?,e,P,Ppub?,H1?,H2?,H3?}, 主密鑰是s。

PartialKeyGen:
給定用戶身份 I D i ∈ { 0 , 1 } ? ID_i\in \{0,1\}^\ast IDi?∈{0,1}?，KGC首先計(jì)算$Q_{I{D}_i}=H_1(I{D}_i)$。 然后，它設(shè)置該用戶的部分密鑰$ps{k}_{I{D}_i}=s{Q}_{(}I{D}_i)$并將其通過安全通道傳輸給對(duì)應(yīng)用戶。 用戶可以通過檢查是否正確來檢查其正確性$e(ps{k}_{I{D}_i},P)=e(Q_{I{D}_i},P_{pub})$。

UserKeyGen:
用戶$I{D}_i$隨機(jī)選擇值$x_{I{D}_i}\in Z_q^{?}$作為他的用戶私鑰$us{k}_{I{D}_i}$，并且計(jì)算用戶公鑰$up{k}_{I{D}_i}=x_{I{D}_i}P$。

Sign:
對(duì)于消息$m_i\in {0,1}^{?}$，選擇狀態(tài)信息$?$(選擇公開參數(shù)作為狀態(tài)信息)，具有$I{D}_i$身份的簽名者執(zhí)行以下步驟：

1. 選擇隨機(jī)數(shù)$r_i\in Z_q^{?}$并且計(jì)算$U_i=r_{i}P\in G_1$.
2. 計(jì)算$Q=H_2(?),h_i=H_3(m_i,I{D}_i,up{k}_{I{D}_i},U_i)$
3. 計(jì)算$V_i=ps{k}_{I{D}_i}+r_i?Q+h_i?x_i?P_{pub}$.

輸出$(U_i,V_i)$作為$m_i$的簽名。

Verify ：
給定一個(gè)消息$m_i$簽名$(U_i,V_i)$，其對(duì)應(yīng)的身份為$I{D}_i$和公鑰$up{k}_{I{D}_i}$，計(jì)算$Q_{(}I{D}_i)=H_1(I{D}_i),Q=H_2(?)$ ,
$h_i=H_3(m_i,I{D}_i,up{k}_{I{D}_i},U_i)$
如果等式 $e(V_i,P)=e(h_i?up{k}_{I{D}_i}+Q_{I{D}_i},P_{pub})e(U_i,Q)$ 成立，接收簽名；否則拒絕。

Aggregate：
任何人都可以充當(dāng)聚合簽名生成器, 對(duì)于n個(gè)用戶的聚合集 { U 1 , … , U n } \{U_1,…,U_n\} {U1?,…,Un?}其對(duì)應(yīng)身份為 { I D 1 , … , I D n } \{ID_1,…,ID_n \} {ID1?,…,IDn?}以及對(duì)應(yīng)公鑰 { u p k 1 , … , u p k n } \{upk_1,…,upk_n\} {upk1?,…,upkn?},對(duì)應(yīng)消息簽名對(duì)為$\{(m_1,{\sigma }_1=(U_1,V_1)),\dots ,(m_n,{\sigma }_n=(U_n,V_n))\}$,
聚合簽名計(jì)算：$V={\sum }_{i=1}^n{V}_i$, 將$\sigma =(U_1,\dots ,U_n,V)$作為聚合簽名。

Aggregate-Verify：
驗(yàn)證聚合簽名$\sigma =(U_1,\dots ,U_n,V)$由n個(gè)用戶 { U 1 , … , U n } \{U_1,…,U_n\} {U1?,…,Un?}身份為 { I D 1 , … , I D n } \{ID_1,…,ID_n\} {ID1?,…,IDn?}和對(duì)應(yīng)的公鑰 { u p k 1 , … , u p k n } \{upk_1,…,upk_n\} {upk1?,…,upkn?}；關(guān)于消息 { m 1 , … , m n } \{m_1,…,m_n \} {m1?,…,mn?} 驗(yàn)證者執(zhí)行以下操作:
計(jì)算 $Q_{I{D}_i}=H_1(I{D}_i),Q=H_2(?),h_i=H_3(m_i,I{D}_i,up{k}_{I{D}_i},U_i),i=1,\dots ,n$.
驗(yàn)證：$e(V,P)=e({\sum }_{i=1}^n[h_i?up{k}_{I{D}_i}+Q_{I{D}_i}],P_{pub})e({\sum }_{i=1}^n{U}_i,Q)$.如果滿足則通過；否則驗(yàn)證失敗。

代碼實(shí)現(xiàn)

整體思路， 將相關(guān)密鑰信息作為文件保存（序列化后可以通過網(wǎng)絡(luò)傳輸），根據(jù)方案不同的功能設(shè)計(jì)不同的函數(shù)。

關(guān)于文件a_181_603.properties的內(nèi)容

type=a
q=98826429041171753291515535532523512299028170537954154869719707264887274916552228805607584116490046284509883309001532457986879277885241872021906840932513241346999389365188296460009947
h=32243626948934860887488490158437299489453513352745889246437755713701521031193083418924110592954582395114812811896992400310730276
r=3064991081731777546575510593831386635550174528483098623
exp2=181
exp1=127
sign1=-1
sign0=-1

代碼

import it.unisa.dia.gas.jpbc.Element;
import it.unisa.dia.gas.jpbc.Pairing;
import it.unisa.dia.gas.plaf.jpbc.pairing.PairingFactory;import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.*;public class CLAS {//生成公私鑰對(duì),并保存到文件中public static void Setup(String pairingParametersFileName, String pubParamFileName, String KGC_SK_FileName) {Pairing bp = PairingFactory.getPairing(pairingParametersFileName);//G1的生成元PElement P = bp.getG1().newRandomElement().getImmutable();//計(jì)算主私鑰和公鑰Element s = bp.getZr().newRandomElement().getImmutable();Element P_Pub = P.mulZn(s);Properties pubParamProp = new Properties();//后面對(duì)寫的元素統(tǒng)一采用如下方法：首先將元素轉(zhuǎn)為字節(jié)數(shù)組，然后進(jìn)行Base64編碼為可讀字符串pubParamProp.setProperty("P", Base64.getEncoder().encodeToString(P.toBytes()));pubParamProp.setProperty("P_Pub", Base64.getEncoder().encodeToString(P_Pub.toBytes()));storePropToFile(pubParamProp, pubParamFileName);Properties param_s = new Properties();//私鑰不存入公開參數(shù)中,由KGC自己保存param_s.setProperty("s", Base64.getEncoder().encodeToString(s.toBytes()));storePropToFile(param_s, KGC_SK_FileName);}//根據(jù)用戶id生成私鑰public static void PartialPrivateKeyGen(String pairingParametersFileName, String id, String KGC_SK_FileName) throws NoSuchAlgorithmException {Pairing bp = PairingFactory.getPairing(pairingParametersFileName);//使用HASH 將 id 轉(zhuǎn)為QIDbyte[] idHash = HASH(id);Element QID = bp.getG1().newElementFromHash(idHash, 0, idHash.length).getImmutable();//從文件中讀取 主私鑰Properties mskProp = loadPropFromFile(KGC_SK_FileName);String sString = mskProp.getProperty("s");Element s = bp.getZr().newElementFromBytes(Base64.getDecoder().decode(sString)).getImmutable();  //Base64編碼后對(duì)應(yīng)的恢復(fù)元素的方法//計(jì)算用戶私鑰, 這里應(yīng)該將私鑰安全的傳輸給用戶//方便模擬，統(tǒng)一存入一個(gè)文件中Element psk_ID = QID.powZn(s).getImmutable();Properties pskProp = new Properties();pskProp.setProperty("psk", Base64.getEncoder().encodeToString(psk_ID.toBytes()));storePropToFile(pskProp, id + ".properties");}//生成用戶私鑰public static void UserKeyGen(String pairingParametersFileName, String pubParamFileName, String id) {Pairing bp = PairingFactory.getPairing(pairingParametersFileName);//從文件中讀取公鑰Properties pkProp = loadPropFromFile(pubParamFileName);String PString = pkProp.getProperty("P");Element P = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(PString)).getImmutable();//生成隨機(jī)數(shù)x，作為用戶的私鑰Element x = bp.getZr().newRandomElement().getImmutable();//計(jì)算用戶公鑰Element upk = P.mulZn(x);Properties userProp = new Properties();userProp.setProperty("usk", Base64.getEncoder().encodeToString(x.toBytes()));userProp.setProperty("upk", Base64.getEncoder().encodeToString(upk.toBytes()));storePropToFile(userProp, id + ".properties");}//簽名public static Element[] Sign(String pairingParametersFileName, String pubParamFileName, String id, byte[] message) throws NoSuchAlgorithmException {Pairing bp = PairingFactory.getPairing(pairingParametersFileName);//獲取公開參數(shù)Properties pubProp = loadPropFromFile(pubParamFileName);Element P = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(pubProp.getProperty("P"))).getImmutable();Element P_Pub = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(pubProp.getProperty("P_Pub"))).getImmutable();//獲取用戶自己的信息Properties userProp = loadPropFromFile(id + ".properties");Element upk = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(userProp.getProperty("upk"))).getImmutable();Element x = bp.getZr().newElementFromBytes(Base64.getDecoder().decode(userProp.getProperty("usk"))).getImmutable();Element psk = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(userProp.getProperty("psk"))).getImmutable();//選擇隨機(jī)數(shù)Element r = bp.getZr().newRandomElement();Element U = P.mulZn(r).getImmutable();//獲取狀態(tài)信息，將公開參數(shù)作為狀態(tài)信息String p = pubProp.getProperty("P");String pPub = pubProp.getProperty("P_Pub");byte[] hash = HASH(p + pPub);Element Q = hashToG(bp, hash);// 計(jì)算m, id, upk,U組合的hash值byte[] res = hashCombination(message, id.getBytes(), upk.toBytes(), U.toBytes());Element h = hashToZ(bp, res);Element V = P_Pub.mulZn(x).mulZn(h).add(Q.mulZn(r)).add(psk).getImmutable();Element[] sigma = new Element[2];sigma[0] = U;sigma[1] = V;return sigma;}//驗(yàn)證public static boolean Verify(String pairingParametersFileName, String pubParamFileName, String id, byte[] message, Element[] sigma) throws NoSuchAlgorithmException {Pairing bp = PairingFactory.getPairing(pairingParametersFileName);//使用sha1 將 id 轉(zhuǎn)為QIDbyte[] idHash = HASH(id);Element QID = bp.getG1().newElementFromHash(idHash, 0, idHash.length).getImmutable();//獲取公開參數(shù)Properties pubProp = loadPropFromFile(pubParamFileName);Element P = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(pubProp.getProperty("P"))).getImmutable();Element P_Pub = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(pubProp.getProperty("P_Pub"))).getImmutable();//獲取狀態(tài)信息，將公開參數(shù)作為狀態(tài)信息String p = pubProp.getProperty("P");String pPub = pubProp.getProperty("P_Pub");byte[] hash = HASH(p + pPub);Element Q = hashToG(bp, hash);//獲取用戶的公鑰，Properties userProp = loadPropFromFile(id + ".properties");Element upk = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(userProp.getProperty("upk"))).getImmutable();// 計(jì)算m, id, upk,U組合的hash值byte[] res = hashCombination(message, id.getBytes(), upk.toBytes(), sigma[0].toBytes());Element h = hashToZ(bp, res);Element left = bp.pairing(sigma[1], P);Element right = bp.pairing(QID.add(upk.mulZn(h)), P_Pub).mul(bp.pairing(sigma[0], Q));return left.isEqual(right);}//聚合簽名, U_1,U_2,...,U_n,Vpublic static Element[] Aggregate(List<Element[]> sigmaList) {Element[] res = new Element[sigmaList.size() + 1];Element[] init = sigmaList.get(0);res[0] = init[0];Element V = init[1];for (int i = 1; i < sigmaList.size(); i++) {res[i] = sigmaList.get(i)[0];V = V.add(sigmaList.get(1)[1]);}res[sigmaList.size()] = V;return res;}// 聚合簽名驗(yàn)證public static boolean AggregateVerify(String pairingParametersFileName, String pubParamFileName, String[] idx, byte[][] message, Element[] sigma) throws NoSuchAlgorithmException {Pairing bp = PairingFactory.getPairing(pairingParametersFileName);Element[] QIDX = new Element[idx.length];for (int i = 0; i < idx.length; i++) {byte[] idHash = HASH(idx[i]);Element QID = bp.getG1().newElementFromHash(idHash, 0, idHash.length).getImmutable();QIDX[i] = QID;}//獲取公開參數(shù)信息Properties pubProp = loadPropFromFile(pubParamFileName);Element P = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(pubProp.getProperty("P"))).getImmutable();Element P_Pub = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(pubProp.getProperty("P_Pub"))).getImmutable();String p = pubProp.getProperty("P");String pPub = pubProp.getProperty("P_Pub");byte[] hash = HASH(p + pPub);Element Q = hashToG(bp, hash);Element[] PKX = new Element[idx.length];for (int i = 0; i < idx.length; i++) {Properties userProp = loadPropFromFile(idx[i] + ".properties");Element upk = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(userProp.getProperty("upk"))).getImmutable();PKX[i] = upk;}Element[] hx = new Element[idx.length];for (int i = 0; i < idx.length; i++) {byte[] res = hashCombination(message[i], idx[i].getBytes(), PKX[i].toBytes(), sigma[i].toBytes());Element h = hashToZ(bp, res);hx[i] = h;}Element left = bp.pairing(sigma[idx.length], P);Element U = sigma[0];for (int i = 1; i < idx.length; i++) {U = U.add(sigma[i]);}Element part = QIDX[0].add(PKX[0].mulZn(hx[0]));for (int i = 1; i < idx.length; i++) {part = part.add(QIDX[i].add(PKX[i].mulZn(hx[i])));}Element right = bp.pairing(part, P_Pub).mul(bp.pairing(U, Q));return left.isEqual(right);}//一種可行的組合方法public static byte[] hashCombination(byte[] message, byte[] id, byte[] upk, byte[] U) throws NoSuchAlgorithmException {int m_len = message.length, id_len = id.length, upk_len = upk.length, u_len = U.length;int total_len = m_len + id_len + upk_len + u_len;byte[] res = new byte[total_len];for (int i = 0; i < m_len; i++) {res[i] = message[i];}for (int i = 0; i < id_len; i++) {res[i + m_len] = id[i];}for (int i = 0; i < upk_len; i++) {res[i + m_len + id_len] = upk[i];}for (int i = 0; i < u_len; i++) {res[i + m_len + id_len + upk_len] = U[i];}MessageDigest instance = MessageDigest.getInstance("SHA-256");instance.update(res);return instance.digest();}public static void storePropToFile(Properties prop, String fileName) {try (FileOutputStream out = new FileOutputStream(fileName, true)) {prop.store(out, null);} catch (IOException e) {e.printStackTrace();System.out.println(fileName + " save failed!");System.exit(-1);}}public static Properties loadPropFromFile(String fileName) {Properties prop = new Properties();try (FileInputStream in = new FileInputStream(fileName)) {prop.load(in);} catch (IOException e) {e.printStackTrace();System.out.println(fileName + " load failed!");System.exit(-1);}return prop;}public static byte[] HASH(String content) throws NoSuchAlgorithmException {MessageDigest instance = MessageDigest.getInstance("SHA-1");instance.update(content.getBytes());return instance.digest();}public static Element hashToG(Pairing pb, byte[] code) {return pb.getG1().newElementFromHash(code, 0, code.length).getImmutable();}public static Element hashToZ(Pairing pb, byte[] code) {return pb.getZr().newElementFromHash(code, 0, code.length).getImmutable();}public static void main(String[] args) throws Exception {String pairingParametersFileName = "a_181_603.properties";String idAlice = "alice@example.com";String idBob = "bob@example.com";String pubParamFileName = "data/pub.properties";String KGCFileName = "data/kgc.properties";Setup(pairingParametersFileName, pubParamFileName, KGCFileName);PartialPrivateKeyGen(pairingParametersFileName, idAlice, KGCFileName);PartialPrivateKeyGen(pairingParametersFileName, idBob, KGCFileName);UserKeyGen(pairingParametersFileName, pubParamFileName, idAlice);UserKeyGen(pairingParametersFileName, pubParamFileName, idBob);String message_a = "Alice,This is a message from Alice!";String message_b = "Bob,This is a message from Bob!";Element[] sigma1 = Sign(pairingParametersFileName, pubParamFileName, idAlice, message_a.getBytes());Element[] sigma2 = Sign(pairingParametersFileName, pubParamFileName, idBob, message_b.getBytes());boolean result = Verify(pairingParametersFileName, pubParamFileName, idAlice, message_a.getBytes(), sigma1);System.out.println("Alice 驗(yàn)證簽名通過？ " + result);result = Verify(pairingParametersFileName, pubParamFileName, idBob, message_b.getBytes(), sigma2);System.out.println("Bob 驗(yàn)證簽名通過？ " + result);List<Element[]> sigmaList = new ArrayList<>();sigmaList.add(sigma1);sigmaList.add(sigma2);Element[] SIGMA = Aggregate(sigmaList);String[] idx = {idAlice, idBob};byte[][] message = {message_a.getBytes(), message_b.getBytes()};
//        message[0][1] = 1;//假如消息被篡改result = AggregateVerify(pairingParametersFileName, pubParamFileName, idx, message, SIGMA);System.out.println("聚合簽名驗(yàn)證通過？ " + result);}}

參考文獻(xiàn)

1. A new certificateless aggregate signature scheme

2. Cryptanalysis and improvement of a certificateless aggregate signature scheme

3. A certificateless aggregate signature scheme for healthcare wireless sensor network

4. Efficient certificateless aggregate signcryption scheme without bilinear pairings

5. Security issues in IoT applications using certificateless aggregate signcryption schemes: An overview