基于JPBC的无证书聚合签名方案实现

基于JPBC的无证书聚合签名方案实现

摘要

一开始签名方案是基于PKI的，无证书签名起源于 基于身份密码体制， 2009 年第一篇无证书签名方案1被提出，随后出现了一些列方案2,3;包括无配对的无证书聚合签名方案4,更多内容参考文献5.

暂时没有看见无证书聚合签名方案实现相关的代码，本文基于JPBC库实现，使用方法可以参考B站视频。也可以使用C++和PBC库实现。

方案概述

本文方案是基于论文3描述的。

Setup：
给定安全参数 $\kappa \in Z$，KGC选择两个循环群 $G_1$ 、$G_2$，其阶均为素数 $q$ ， $G_1$ 的生成元$P$，计算可接受的配对 $e:G_1\times G_1\to G_2$ 。 KGC 随机选择主密钥 $s\in Z_q^{\ast }$ ，设置 $P_{pub}=sP$ ，选择加密哈希函数 H 1 : { 0 , 1 } ∗ → G 1 H_1:\{0,1\}^\ast→G_1 H1​:{0,1}∗→G1​ , H 2 : { 0 , 1 } ∗ → G 1 H_2:\{0,1\}^\ast→G_1 H2​:{0,1}∗→G1​, H 3 : { 0 , 1 } ∗ → Z q ∗ H_3:\{0,1\}^\ast→Z_q^\ast H3​:{0,1}∗→Zq∗​. 系统参数为 { q , G 1 , G 2 , e , P , P p u b , H 1 , H 2 , H 3 } \{q,G_1,G_2,e,P,P_{pub},H_1,H_2,H_3 \} {q,G1​,G2​,e,P,Ppub​,H1​,H2​,H3​}, 主密钥是s。

PartialKeyGen:
给定用户身份 I D i ∈ { 0 , 1 } ∗ ID_i\in \{0,1\}^\ast IDi​∈{0,1}∗，KGC首先计算$Q_{I{D}_i}=H_1(I{D}_i)$。 然后，它设置该用户的部分密钥$ps{k}_{I{D}_i}=s{Q}_{(}I{D}_i)$并将其通过安全通道传输给对应用户。 用户可以通过检查是否正确来检查其正确性$e(ps{k}_{I{D}_i},P)=e(Q_{I{D}_i},P_{pub})$。

UserKeyGen:
用户$I{D}_i$随机选择值$x_{I{D}_i}\in Z_q^{\ast }$作为他的用户私钥$us{k}_{I{D}_i}$，并且计算用户公钥$up{k}_{I{D}_i}=x_{I{D}_i}P$。

Sign:
对于消息$m_i\in {0,1}^{\ast }$，选择状态信息$∆$(选择公开参数作为状态信息)，具有$I{D}_i$身份的签名者执行以下步骤：

1. 选择随机数$r_i\in Z_q^{\ast }$并且计算$U_i=r_{i}P\in G_1$.
2. 计算$Q=H_2(∆),h_i=H_3(m_i,I{D}_i,up{k}_{I{D}_i},U_i)$
3. 计算$V_i=ps{k}_{I{D}_i}+r_i\cdot Q+h_i\cdot x_i\cdot P_{pub}$.

输出$(U_i,V_i)$作为$m_i$的签名。

Verify ：
给定一个消息$m_i$签名$(U_i,V_i)$，其对应的身份为$I{D}_i$和公钥$up{k}_{I{D}_i}$，计算$Q_{(}I{D}_i)=H_1(I{D}_i),Q=H_2(∆)$ ,
$h_i=H_3(m_i,I{D}_i,up{k}_{I{D}_i},U_i)$
如果等式 $e(V_i,P)=e(h_i\cdot up{k}_{I{D}_i}+Q_{I{D}_i},P_{pub})e(U_i,Q)$ 成立，接收签名；否则拒绝。

Aggregate：
任何人都可以充当聚合签名生成器, 对于n个用户的聚合集 { U 1 , … , U n } \{U_1,…,U_n\} {U1​,…,Un​}其对应身份为 { I D 1 , … , I D n } \{ID_1,…,ID_n \} {ID1​,…,IDn​}以及对应公钥 { u p k 1 , … , u p k n } \{upk_1,…,upk_n\} {upk1​,…,upkn​},对应消息签名对为$\{(m_1,{\sigma }_1=(U_1,V_1)),\dots ,(m_n,{\sigma }_n=(U_n,V_n))\}$,
聚合签名计算：$V={\sum }_{i=1}^n{V}_i$, 将$\sigma =(U_1,\dots ,U_n,V)$作为聚合签名。

Aggregate-Verify：
验证聚合签名$\sigma =(U_1,\dots ,U_n,V)$由n个用户 { U 1 , … , U n } \{U_1,…,U_n\} {U1​,…,Un​}身份为 { I D 1 , … , I D n } \{ID_1,…,ID_n\} {ID1​,…,IDn​}和对应的公钥 { u p k 1 , … , u p k n } \{upk_1,…,upk_n\} {upk1​,…,upkn​}；关于消息 { m 1 , … , m n } \{m_1,…,m_n \} {m1​,…,mn​} 验证者执行以下操作:
计算 $Q_{I{D}_i}=H_1(I{D}_i),Q=H_2(∆),h_i=H_3(m_i,I{D}_i,up{k}_{I{D}_i},U_i),i=1,\dots ,n$.
验证：$e(V,P)=e({\sum }_{i=1}^n[h_i\cdot up{k}_{I{D}_i}+Q_{I{D}_i}],P_{pub})e({\sum }_{i=1}^n{U}_i,Q)$.如果满足则通过；否则验证失败。

代码实现

整体思路， 将相关密钥信息作为文件保存（序列化后可以通过网络传输），根据方案不同的功能设计不同的函数。

关于文件a_181_603.properties的内容

type=a
q=98826429041171753291515535532523512299028170537954154869719707264887274916552228805607584116490046284509883309001532457986879277885241872021906840932513241346999389365188296460009947
h=32243626948934860887488490158437299489453513352745889246437755713701521031193083418924110592954582395114812811896992400310730276
r=3064991081731777546575510593831386635550174528483098623
exp2=181
exp1=127
sign1=-1
sign0=-1
1
2
3
4
5
6
7
8

代码

import it.unisa.dia.gas.jpbc.Element;
import it.unisa.dia.gas.jpbc.Pairing;
import it.unisa.dia.gas.plaf.jpbc.pairing.PairingFactory;

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.*;

public class CLAS {

    //生成公私钥对,并保存到文件中
    public static void Setup(String pairingParametersFileName, String pubParamFileName, String KGC_SK_FileName) {
        Pairing bp = PairingFactory.getPairing(pairingParametersFileName);
        //G1的生成元P
        Element P = bp.getG1().newRandomElement().getImmutable();
        //计算主私钥和公钥
        Element s = bp.getZr().newRandomElement().getImmutable();
        Element P_Pub = P.mulZn(s);

        Properties pubParamProp = new Properties();

        //后面对写的元素统一采用如下方法：首先将元素转为字节数组，然后进行Base64编码为可读字符串
        pubParamProp.setProperty("P", Base64.getEncoder().encodeToString(P.toBytes()));
        pubParamProp.setProperty("P_Pub", Base64.getEncoder().encodeToString(P_Pub.toBytes()));

        storePropToFile(pubParamProp, pubParamFileName);

        Properties param_s = new Properties();//私钥不存入公开参数中,由KGC自己保存
        param_s.setProperty("s", Base64.getEncoder().encodeToString(s.toBytes()));
        storePropToFile(param_s, KGC_SK_FileName);
    }

    //根据用户id生成私钥
    public static void PartialPrivateKeyGen(String pairingParametersFileName, String id, String KGC_SK_FileName) throws NoSuchAlgorithmException {
        Pairing bp = PairingFactory.getPairing(pairingParametersFileName);
        //使用HASH 将 id 转为QID
        byte[] idHash = HASH(id);
        Element QID = bp.getG1().newElementFromHash(idHash, 0, idHash.length).getImmutable();

        //从文件中读取 主私钥
        Properties mskProp = loadPropFromFile(KGC_SK_FileName);
        String sString = mskProp.getProperty("s");
        Element s = bp.getZr().newElementFromBytes(Base64.getDecoder().decode(sString)).getImmutable();  //Base64编码后对应的恢复元素的方法

        //计算用户私钥, 这里应该将私钥安全的传输给用户
        //方便模拟，统一存入一个文件中
        Element psk_ID = QID.powZn(s).getImmutable();
        Properties pskProp = new Properties();
        pskProp.setProperty("psk", Base64.getEncoder().encodeToString(psk_ID.toBytes()));
        storePropToFile(pskProp, id + ".properties");
    }

    //生成用户私钥
    public static void UserKeyGen(String pairingParametersFileName, String pubParamFileName, String id) {
        Pairing bp = PairingFactory.getPairing(pairingParametersFileName);
        //从文件中读取公钥
        Properties pkProp = loadPropFromFile(pubParamFileName);
        String PString = pkProp.getProperty("P");

        Element P = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(PString)).getImmutable();
        //生成随机数x，作为用户的私钥
        Element x = bp.getZr().newRandomElement().getImmutable();
        //计算用户公钥
        Element upk = P.mulZn(x);

        Properties userProp = new Properties();
        userProp.setProperty("usk", Base64.getEncoder().encodeToString(x.toBytes()));
        userProp.setProperty("upk", Base64.getEncoder().encodeToString(upk.toBytes()));
        storePropToFile(userProp, id + ".properties");
    }

    //签名
    public static Element[] Sign(String pairingParametersFileName, String pubParamFileName, String id, byte[] message) throws NoSuchAlgorithmException {
        Pairing bp = PairingFactory.getPairing(pairingParametersFileName);
        //获取公开参数
        Properties pubProp = loadPropFromFile(pubParamFileName);
        Element P = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(pubProp.getProperty("P"))).getImmutable();
        Element P_Pub = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(pubProp.getProperty("P_Pub"))).getImmutable();

        //获取用户自己的信息
        Properties userProp = loadPropFromFile(id + ".properties");
        Element upk = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(userProp.getProperty("upk"))).getImmutable();
        Element x = bp.getZr().newElementFromBytes(Base64.getDecoder().decode(userProp.getProperty("usk"))).getImmutable();
        Element psk = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(userProp.getProperty("psk"))).getImmutable();

        //选择随机数
        Element r = bp.getZr().newRandomElement();
        Element U = P.mulZn(r).getImmutable();

        //获取状态信息，将公开参数作为状态信息
        String p = pubProp.getProperty("P");
        String pPub = pubProp.getProperty("P_Pub");
        byte[] hash = HASH(p + pPub);
        Element Q = hashToG(bp, hash);

        // 计算m, id, upk,U组合的hash值
        byte[] res = hashCombination(message, id.getBytes(), upk.toBytes(), U.toBytes());
        Element h = hashToZ(bp, res);


        Element V = P_Pub.mulZn(x).mulZn(h).add(Q.mulZn(r)).add(psk).getImmutable();

        Element[] sigma = new Element[2];
        sigma[0] = U;
        sigma[1] = V;
        return sigma;

    }

    //验证
    public static boolean Verify(String pairingParametersFileName, String pubParamFileName, String id, byte[] message, Element[] sigma) throws NoSuchAlgorithmException {
        Pairing bp = PairingFactory.getPairing(pairingParametersFileName);

        //使用sha1 将 id 转为QID
        byte[] idHash = HASH(id);
        Element QID = bp.getG1().newElementFromHash(idHash, 0, idHash.length).getImmutable();

        //获取公开参数
        Properties pubProp = loadPropFromFile(pubParamFileName);
        Element P = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(pubProp.getProperty("P"))).getImmutable();
        Element P_Pub = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(pubProp.getProperty("P_Pub"))).getImmutable();

        //获取状态信息，将公开参数作为状态信息
        String p = pubProp.getProperty("P");
        String pPub = pubProp.getProperty("P_Pub");
        byte[] hash = HASH(p + pPub);
        Element Q = hashToG(bp, hash);

        //获取用户的公钥，
        Properties userProp = loadPropFromFile(id + ".properties");
        Element upk = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(userProp.getProperty("upk"))).getImmutable();

        // 计算m, id, upk,U组合的hash值
        byte[] res = hashCombination(message, id.getBytes(), upk.toBytes(), sigma[0].toBytes());

        Element h = hashToZ(bp, res);

        Element left = bp.pairing(sigma[1], P);
        Element right = bp.pairing(QID.add(upk.mulZn(h)), P_Pub).mul(bp.pairing(sigma[0], Q));
        return left.isEqual(right);
    }

    //聚合签名, U_1,U_2,...,U_n,V
    public static Element[] Aggregate(List<Element[]> sigmaList) {
        Element[] res = new Element[sigmaList.size() + 1];
        Element[] init = sigmaList.get(0);
        res[0] = init[0];
        Element V = init[1];
        for (int i = 1; i < sigmaList.size(); i++) {
            res[i] = sigmaList.get(i)[0];
            V = V.add(sigmaList.get(1)[1]);
        }
        res[sigmaList.size()] = V;
        return res;
    }

    // 聚合签名验证
    public static boolean AggregateVerify(String pairingParametersFileName, String pubParamFileName, String[] idx, byte[][] message, Element[] sigma) throws NoSuchAlgorithmException {
        Pairing bp = PairingFactory.getPairing(pairingParametersFileName);

        Element[] QIDX = new Element[idx.length];
        for (int i = 0; i < idx.length; i++) {
            byte[] idHash = HASH(idx[i]);
            Element QID = bp.getG1().newElementFromHash(idHash, 0, idHash.length).getImmutable();
            QIDX[i] = QID;
        }

        //获取公开参数信息
        Properties pubProp = loadPropFromFile(pubParamFileName);
        Element P = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(pubProp.getProperty("P"))).getImmutable();
        Element P_Pub = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(pubProp.getProperty("P_Pub"))).getImmutable();
        String p = pubProp.getProperty("P");
        String pPub = pubProp.getProperty("P_Pub");
        byte[] hash = HASH(p + pPub);
        Element Q = hashToG(bp, hash);


        Element[] PKX = new Element[idx.length];
        for (int i = 0; i < idx.length; i++) {
            Properties userProp = loadPropFromFile(idx[i] + ".properties");
            Element upk = bp.getG1().newElementFromBytes(Base64.getDecoder().decode(userProp.getProperty("upk"))).getImmutable();
            PKX[i] = upk;
        }

        Element[] hx = new Element[idx.length];
        for (int i = 0; i < idx.length; i++) {
            byte[] res = hashCombination(message[i], idx[i].getBytes(), PKX[i].toBytes(), sigma[i].toBytes());
            Element h = hashToZ(bp, res);
            hx[i] = h;
        }
        Element left = bp.pairing(sigma[idx.length], P);
        Element U = sigma[0];
        for (int i = 1; i < idx.length; i++) {
            U = U.add(sigma[i]);
        }
        Element part = QIDX[0].add(PKX[0].mulZn(hx[0]));
        for (int i = 1; i < idx.length; i++) {
            part = part.add(QIDX[i].add(PKX[i].mulZn(hx[i])));
        }
        Element right = bp.pairing(part, P_Pub).mul(bp.pairing(U, Q));
        return left.isEqual(right);
    }

    //一种可行的组合方法
    public static byte[] hashCombination(byte[] message, byte[] id, byte[] upk, byte[] U) throws NoSuchAlgorithmException {
        int m_len = message.length, id_len = id.length, upk_len = upk.length, u_len = U.length;
        int total_len = m_len + id_len + upk_len + u_len;
        byte[] res = new byte[total_len];
        for (int i = 0; i < m_len; i++) {
            res[i] = message[i];
        }
        for (int i = 0; i < id_len; i++) {
            res[i + m_len] = id[i];
        }
        for (int i = 0; i < upk_len; i++) {
            res[i + m_len + id_len] = upk[i];
        }
        for (int i = 0; i < u_len; i++) {
            res[i + m_len + id_len + upk_len] = U[i];
        }
        MessageDigest instance = MessageDigest.getInstance("SHA-256");
        instance.update(res);
        return instance.digest();
    }

    public static void storePropToFile(Properties prop, String fileName) {
        try (FileOutputStream out = new FileOutputStream(fileName, true)) {
            prop.store(out, null);
        } catch (IOException e) {
            e.printStackTrace();
            System.out.println(fileName + " save failed!");
            System.exit(-1);
        }
    }

    public static Properties loadPropFromFile(String fileName) {
        Properties prop = new Properties();
        try (FileInputStream in = new FileInputStream(fileName)) {
            prop.load(in);
        } catch (IOException e) {
            e.printStackTrace();
            System.out.println(fileName + " load failed!");
            System.exit(-1);
        }
        return prop;
    }

    public static byte[] HASH(String content) throws NoSuchAlgorithmException {
        MessageDigest instance = MessageDigest.getInstance("SHA-1");
        instance.update(content.getBytes());
        return instance.digest();
    }

    public static Element hashToG(Pairing pb, byte[] code) {
        return pb.getG1().newElementFromHash(code, 0, code.length).getImmutable();
    }

    public static Element hashToZ(Pairing pb, byte[] code) {
        return pb.getZr().newElementFromHash(code, 0, code.length).getImmutable();
    }

    public static void main(String[] args) throws Exception {
        String pairingParametersFileName = "a_181_603.properties";
        String idAlice = "alice@example.com";
        String idBob = "bob@example.com";
        String pubParamFileName = "data/pub.properties";
        String KGCFileName = "data/kgc.properties";
        Setup(pairingParametersFileName, pubParamFileName, KGCFileName);
        PartialPrivateKeyGen(pairingParametersFileName, idAlice, KGCFileName);
        PartialPrivateKeyGen(pairingParametersFileName, idBob, KGCFileName);
        UserKeyGen(pairingParametersFileName, pubParamFileName, idAlice);
        UserKeyGen(pairingParametersFileName, pubParamFileName, idBob);

        String message_a = "Alice,This is a message from Alice!";
        String message_b = "Bob,This is a message from Bob!";


        Element[] sigma1 = Sign(pairingParametersFileName, pubParamFileName, idAlice, message_a.getBytes());
        Element[] sigma2 = Sign(pairingParametersFileName, pubParamFileName, idBob, message_b.getBytes());
        boolean result = Verify(pairingParametersFileName, pubParamFileName, idAlice, message_a.getBytes(), sigma1);
        System.out.println("Alice 验证签名通过？ " + result);
        result = Verify(pairingParametersFileName, pubParamFileName, idBob, message_b.getBytes(), sigma2);
        System.out.println("Bob 验证签名通过？ " + result);

        List<Element[]> sigmaList = new ArrayList<>();
        sigmaList.add(sigma1);
        sigmaList.add(sigma2);
        Element[] SIGMA = Aggregate(sigmaList);
        String[] idx = {idAlice, idBob};
        byte[][] message = {message_a.getBytes(), message_b.getBytes()};
//        message[0][1] = 1;//假如消息被篡改
        result = AggregateVerify(pairingParametersFileName, pubParamFileName, idx, message, SIGMA);
        System.out.println("聚合签名验证通过？ " + result);

    }

}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301

参考文献

1. A new certificateless aggregate signature scheme

2. Cryptanalysis and improvement of a certificateless aggregate signature scheme

3. A certificateless aggregate signature scheme for healthcare wireless sensor network

4. Efficient certificateless aggregate signcryption scheme without bilinear pairings

5. Security issues in IoT applications using certificateless aggregate signcryption schemes: An overview