二、算法细节
2.1 公私钥产生算法( K e y G e n KeyGen KeyGen):
- 每个用户都有自己的Schnorr签名方案的公私钥对 ( y i , x i ) (y_{i},x_{i}) (yi,xi),系统中有两个哈希函数 H 1 : ( 0 , 1 ) ∗ → Z q H_{1}:(0,1)^{*}\to Z_{q} H1:(0,1)∗→Zq, H 2 : ( 0 , 1 ) ∗ → G H_{2}:(0,1)^{*}\to G H2:(0,1)∗→G
- Schnorr签名算法介绍
2.2 签名生成算法( S i g n Sign Sign)
- 不失一般性,我们将要被代表的群体的公钥集合设为 L = ( y 1 , ⋅ ⋅ ⋅ , y l ) L=(y_{1},···,y_{l}) L=(y1,⋅⋅⋅,yl),并且签名者公钥为 y j y_{j} yj, j ∈ [ 1 , l ] j \in [1,l] j∈[1,l];待签名消息为 m m m,签名者进行如下操作:
- 在 Z q ∗ Z_{q}^{*} Zq∗中选择一个随机数 σ j \sigma_{j} σj
- 计算 I = H 2 ( y j ) x j I=H_{2}(y_{j})^{x_{j}} I=H2(yj)xj
- 计算 α j = H 1 ( m ∣ ∣ I ∣ ∣ L ∣ ∣ g σ j ∣ ∣ H 2 ( y j ) σ j ) \alpha_{j}=H_{1}(m||I||L||g^{\sigma_{j}}||H_{2}(y_{j})^{\sigma_{j}}) αj=H1(m∣∣I∣∣L∣∣gσj∣∣H2(yj)σj)
- 令 i = j + 1 , j + 2 , ⋅ ⋅ ⋅ , j − 1 i=j+1,j+2,···,j-1 i=j+1,j+2,⋅⋅⋅,j−1,依次在 Z q ∗ Z_{q}^{*} Zq∗中随机选择一个数 r j r_{j} rj,并计算 α i = H 1 ( m ∣ ∣ I ∣ ∣ L ∣ ∣ g r i y i α i − 1 ∣ ∣ H 2 ( y i ) r i I α i − 1 ) \alpha_{i}=H_{1}(m||I||L||g^{r_{i}}y_{i}^{\alpha_{i-1}}||H_{2}(y_{i})^{r_{i}}I^{{\alpha_{i-1}}}) αi=H1(m∣∣I∣∣L∣∣griyiαi−1∣∣H2(yi)riIαi−1),这里当 i = 1 , l − 1 = l i=1, l-1=l i=1,l−1=l
- 计算 r j = σ j − α j − 1 ⋅ x j m o d q r_{j}=\sigma_{j}-\alpha_{j-1}·x_{j}\ mod\ q rj=σj−αj−1⋅xj mod q
- 生成最后签名 σ = ( I , α 1 , r 1 , ⋅ ⋅ ⋅ , r l , L ) \sigma=(I,\alpha_{1},r_{1},···,r_{l},L) σ=(I,α1,r1,⋅⋅⋅,rl,L)
2.3 签名验证算法(Verify):
- 收到签名 σ = ( I , α 1 , r 1 , ⋅ ⋅ ⋅ , r l , L ) \sigma=(I,\alpha_{1},r_{1},···,r_{l},L) σ=(I,α1,r1,⋅⋅⋅,rl,L),验证者做如下操作:
- 令 i = 2 , 3 , ⋅ ⋅ ⋅ , l i=2,3,···,l i=2,3,⋅⋅⋅,l,依次计算 α i = H 1 ( m ∣ ∣ I ∣ ∣ L ∣ ∣ g r i y i α i − 1 ∣ ∣ H 2 ( y i ) r i I α i − 1 ) \alpha_{i}=H_{1}(m||I||L||g^{r_{i}}y_{i}^{\alpha_{i-1}}||H_{2}(y_{i})^{r_{i}}I^{{\alpha_{i-1}}}) αi=H1(m∣∣I∣∣L∣∣griyiαi−1∣∣H2(yi)riIαi−1)
- 验证等式: α 1 ≡ H 1 ( m ∣ ∣ I ∣ ∣ L ∣ ∣ g r 1 y 1 α l ∣ ∣ H 2 ( y 1 ) r 1 I α l ) \alpha_{1} ≡H_{1}(m||I||L||g^{r_{1}}y_{1}^{\alpha_{l}}||H_{2}(y_{1})^{r_{1}}I^{{\alpha_{l}}}) α1≡H1(m∣∣I∣∣L∣∣gr1y1αl∣∣H2(y1)r1Iαl);
- 如果等式成立输出1,否则输出0。