阅读说明：本技术 一种基于身份的前向安全环签名方法 (Identity-based forward security ring signature method ) 是由 田苗苗 王婉玉 仲红 于 2021-07-09 设计创作，主要内容包括：本发明公开了一种基于身份的前向安全环签名方法,其步骤包括：1、参数设置：输入安全参数n,系统生成公共参数pp以及主私钥MSK；2、私钥提取：输入公共参数pp,用户身份id∈{0,1}～(*)以及主私钥MSK,输出与身份id相对应的私钥sk-(id)；3、密钥更新：输入公共参数pp,某用户在时间段t的私钥sk-(id,t),以及新的时间段t+1,输出用户在时间段t+1的私钥sk-(id,t+1)；4、签名：输入时间段t,系统最大环S,待签名消息m,环R,私钥sk-(id,t)其对应的身份id∈R,输出对应时间段t的签名σ-(t)；5、验证：输入消息签名对(m,σ-(t)),时间段t和环R,如果签名验证通过,输出1,否则,输出0。本发明能在实现签名前向安全性的前提下,提高用户签名的效率,并能抵抗量子计算机的攻击,从而解决传统前向安全环签名中出现的证书管理问题。(The invention discloses an identity-based forward security ring signature method, which comprises the following steps: 1. setting parameters: inputting a security parameter n, and generating a public parameter pp and a main private key MSK by the system; 2. private key extraction: inputting a public parameter pp, and enabling the user identity id to be in an element of {0,1} * And a master private key MSK outputting a private key sk corresponding to the identity id id (ii) a 3. And (3) key updating: inputting a public parameter pp, a private key sk of a certain user in a time period t id,t And a new time period t +1, outputting the private key sk of the user in the time period t +1 id,t+1 (ii) a 4. Signature: inputting time period t, maximum ring S of the system, message m to be signed, ring R and private key sk id,t The corresponding identity id belongs to R, and the signature sigma corresponding to the time period t is output t (ii) a 5. And (3) verification: input message signature pair (m, sigma) t ) Time period t and ring R, if the signature verification passes, 1 is output, otherwise, 0 is output. The invention can improve the forward security of the signature on the premise of realizing the forward security of the signatureThe efficiency of user signature can resist the attack of quantum computer, thus solving the problem of certificate management in the traditional forward security ring signature.)

1. An identity-based forward security ring signature method is characterized by comprising the following steps:

step 1, setting parameters;

step 1.1, setting a safety parameter n, and selecting a first integer with a prime number q more than or equal to 2A second integer m > 5nlogq, and a Gaussian parameterω represents a lower bound parameter;

step 1.2, generating a random matrix by utilizing a trapdoor generation function TrpGen (q, n)And the radical B thereof_A∈Z^m×m；Representing that values in a set {0,1,2.. q-1} form a matrix set with dimension n × m; z^m×mRepresenting a set of matrices with non-negative integer composition dimensions m x m;

step 1.3, construction of common parametersAnd the master private key MSK ═ B_A；H₁、H₂Representing two collision-resistant hash functions that transform an arbitrary-length input into a fixed-length output by a hash algorithm,representing a message space;

step 2, initial private key sk_id,0Extracting;

step 2.1, defining user identity id e (0, 1)^*，{0,1}^*A tag matrix Q, which represents a set of strings of arbitrary lengths composed of 0 and 1 and calculates a user id, is H₁(id) and constructing a user identity matrix A_id＝[A|Q](ii) a I represents the matrix A and Q connected;

step 2.2, using the lattice-based randomization function RandBasis (ExtBasis (B)_A,A_id) S) generating a base R of the user identity_id∈Z^(m+1)×(m+1)；Z^(m+1)×(m+1)A set of non-negative integer matrices representing dimensions (m +1) × (m + 1);

step 2.3, for any node z, determining a set node (0 → T-1), wherein z belongs to the node (0 → T-1), wherein the node (T → T-1) represents a minimum set of all ancestors in the binary tree which contain leaf Nodes { T., T-1} but do not contain { 0., T-1}, and 0 → T-1 represents a time period from 0 to T-1;

step 2.3.1, if z ∈ ≠ T, indicates an empty set without substantial node, and the corresponding private key sk of the user id at the node z is enabled to be_id[z]T is ═ T; otherwise, executing step 2.3.2;

step 2.3.2 with d_zRepresents the length of a binary vector z, where d_zD is less than or equal to d, and d represents the depth of the binary tree;

step 2.3.3, constructing a matrix of the user id at the corresponding node zWhere Bin (z) is a binary representation of node z, Bin (z) d_z]Denotes the d-th_zThe number of the bits is one,representing the path of node z from the root to node z at depth d_zThe matrix of (a) is determined,denotes that the number of dimensions n x (((d) obtained by taking values in the set {0,1,2.. q-1 })_z+1) m + 1);

step 2.3.4, calculating the base of the user id at the corresponding node zLet sk_id[z]＝R_id,z(ii) a Oid year symbol ← represents generation, RandBasis () represents randomization of a base, ExtBasis () represents extraction of a base,a Gaussian parameter randomly selected when representing a randomized basis;

step 2.3.5, making the initial private key corresponding to the user identity id be sk_id,0＝{sk_id[z],z∈Nodes(0→T-1)}；

Step 3, private key sk of time period t_id,tUpdating of (1);

step 3.1, let the private key sk of the known time period t_id,t＝{sk_id[z]Z ∈ Nodes (T → T-1) }, then the key evolution procedure for the new binary vector z' ∈ Nodes (T +1 → T-1) is as follows:

step 3.1.1, if z' is epsilon, making the user id correspond to the private key sk at the node z_id[z′]＝⊥；

If there is a prefix where z ∈ Nodes (T → T-1) is z', then:

if z' is equal to z, let sk_id[z′]＝sk_id[z]；

If z' ═ z | | y, y represents a non-empty binary bit string, and | | represents z and y are concatenated, then the calculation is performedBase R of user at corresponding node z_id,z'←RandBasis(ExtBasis(R_id,z,A_id,z'),s_dz') Let sk_id[z']＝R_id,z'；A_id,z'Represents a matrix used when the node z' extracts the basis, an A Gaussian parameter randomly selected when representing a randomized basis;

step 3.1.2, calculating the private key sk of the time period t +1_id,t+1＝{sk_id[z′],z′∈Nodes(t+1→T-1)}；

Step 4, signature;

step 4.1, defining the maximum ring as S, the message to be signed as mu, the current ring as R and the private key sk of the time period t_id,tThe corresponding identity id belongs to R;

step 4.2, define the current ring R as the identity set R ═ id of all users₁,…,id_s,…,id_lIn which id_sRepresenting the s-th user identity, l representing the number of users, id of the s-th user identity during a time period t_sThe private key ofMessage μ e {0,1}^*；

Step 4.3, assume the s-th user identity id_sThe signer analyzes the private key of the signer in the time period tObtaining the signer base at node zWherein z ∈ Nodes (T → T-1), z ═ Bin (T), Bin represents binary representation corresponding to integer time T, and length of Bin (T) is d_t；

Step 4.4, constructVerification matrix required for ring signing by manufacturer sWherein Q is_s+1An identity tag matrix representing the (s +1) th user,identity matrix representing user s, B_tRepresents a path matrix from the root to a node t, and representing the path of node t from the root to node t at depth d_tA matrix of (d);

step 4.5, selecting a random number tau epsilon {0,1}^ω(logn)，{0,1}^ω(logn)Represents a set of strings of 0 or 1 and having a length ω (logn), and calculates a hash value u-H₂(R,μ,t,τ)；

Step 4.6, sampling function by using trapdoorGenerating a vectorWherein e satisfies the Gaussian distributionr represents a gaussian parameter chosen at random,representing a q-grid;

step 4.6, obtain signature sigma of time quantum t_t＝(e,R,t,τ)；

Step 5, according to the message mu, the signature sigma_tTime period t and ringR＝{id₁,…,id_l}, verify the message signature pair (μ, σ)_t) If the verification is passed, outputting 1, otherwise, outputting 0;

step 5.1. sign sigma_tThe value is analyzed as (e, R, t, tau);

step 5.2, according to the hash value u and the verification matrix A_RIf and only if (A)_R·e)modq＝H₂(R, μ, t, τ) andwhen the verification is passed, otherwise, the verification is failed, wherein O represents the time complexity, and | e | | represents l of the vector e₂And (4) norm.

Technical Field

The invention relates to an information security technology, in particular to a forward security ring signature method based on identity.

Background

The forward security ring signature is a special ring signature, which has the non-forgeability and anonymity of the common ring signature, and can also realize the forward security of the user private key, namely after the user private key is disclosed at a certain moment, the security of the user signature before the moment is not influenced, so that the forward security ring signature can be applied to the anonymous authentication of the self-organizing network. In addition, the identity-based forward security ring signature can also eliminate the problems of extra storage overhead and calculation overhead brought by public key certificates, and has better efficiency. At present, the forward security ring signature schemes are all based on the traditional difficult problem, so that the schemes cannot resist the attack of a quantum computer and have low security.

Disclosure of Invention

The invention aims to solve the defects in the prior art, and provides an identity-based forward security ring signature method for resisting quantum attack, so that the efficiency of user signature can be improved on the premise of realizing forward security of signature, and the attack of a quantum computer can be resisted, thereby solving the problem of certificate management in the traditional forward security ring signature.

In order to achieve the purpose, the invention adopts the following technical scheme:

the invention relates to an identity-based forward security ring signature method which is characterized by comprising the following steps:

step 1, setting parameters;

step 1.1, setting a safety parameter n, and selecting a first integer with a prime number q more than or equal to 2A second integer m > 5nlogq, and a Gaussian parameterω represents a lower bound parameter;

step 1.2, generating a random matrix by utilizing a trapdoor generation function TrpGen (q, n)And the radical B thereof_A∈Z^m×m；Representing that values in a set {0,1,2.. q-1} form a matrix set with dimension n × m; z^m×mRepresenting a set of matrices with non-negative integer composition dimensions m x m;

step 1.3, construction of common parametersAnd the master private key MSK ═ B_A；H₁、H₂Representing two collision-resistant hash functions that transform an arbitrary-length input into a fixed-length output by a hash algorithm,representing a message space;

step 2, initial private key sk_id,0Extracting;

step 2.1, defining user identity id e (0, 1)^*，{0,1}^*A tag matrix Q, which represents a set of strings of arbitrary lengths composed of 0 and 1 and calculates a user id, is H₁(id) and constructing a user identity matrix A_id＝[A|Q](ii) a I represents the matrix A and Q connected;

step 2.2, using the lattice-based randomization function RandBasis (ExtBasis (B)_A,A_id) S) generating a base R of the user identity_id∈Z^(m+1)×(m+1)；Z^(m+1)×(m+1)A set of non-negative integer matrices representing dimensions (m +1) × (m + 1);

step 2.3, for any node z, determining a set node (0 → T-1), wherein z belongs to the node (0 → T-1), wherein the node (T → T-1) represents a minimum set of all ancestors in the binary tree which contain leaf Nodes { T., T-1} but do not contain { 0., T-1}, and 0 → T-1 represents a time period from 0 to T-1;

step 2.3.1, if z ∈ ≠ T, indicates an empty set without substantial node, and enables the user id to be in the nodeThe corresponding private key sk at z_id[z]T is ═ T; otherwise, executing step 2.3.2;

step 2.3.2 with d_zRepresents the length of a binary vector z, where d_zD is less than or equal to d, and d represents the depth of the binary tree;

step 2.3.3, constructing a matrix of the user id at the corresponding node zWhere Bin (z) is a binary representation of node z, Bin (z) d_z]Denotes the d-th_zThe number of the bits is one,representing the path of node z from the root to node z at depth d_zThe matrix of (a) is determined,denotes that the number of dimensions n x (((d) obtained by taking values in the set {0,1,2.. q-1 })_z+1) m + 1);

step 2.3.4, calculating the base of the user id at the corresponding node zLet sk_id[z]＝R_id,z(ii) a Oid ← denotes generation, RandBasis () denotes randomization of a base, ExtBasis () denotes extraction of a base, s_dzA Gaussian parameter randomly selected when representing a randomized basis;

step 2.3.5, making the initial private key corresponding to the user identity id be sk_id,0＝{sk_id[z],z∈Nodes(0→T-1)}；

Step 3, private key sk of time period t_id,tUpdating of (1);

step 3.1, let the private key sk of the known time period t_id,t＝{sk_id[z]Z ∈ Nodes (T → T-1) }, then the key evolution procedure for the new binary vector z' ∈ Nodes (T +1 → T-1) is as follows:

step 3.1.1, if z' is epsilon, making the user id correspond to the private key sk at the node z_id[z′]＝⊥；

If there is a prefix where z ∈ Nodes (T → T-1) is z', then:

if z' is equal to z, let sk_id[z′]＝sk_id[z]；

If z ' ═ z | y, y represents a non-empty binary bit string, and | represents that z and y are connected, then the user's base at the corresponding node z ' is calculatedLet sk_id[z']＝R_id,z'；A_id,z'Represents a matrix used when the node z' extracts the basis, anA Gaussian parameter randomly selected when representing a randomized basis;

step 3.1.2, calculating the private key sk of the time period t +1_id,t+1＝{sk_id[z′],z′∈Nodes(t+1→T-1)}；

Step 4, signature;

step 4.1, defining the maximum ring as S, the message to be signed as mu, the current ring as R and the private key sk of the time period t_id,tThe corresponding identity id belongs to R;

step 4.2, define the current ring R as the identity set of all usersWherein id_sWhich represents the identity of the s-th user,representing the number of users, the s-th user identity id during a time period t_sThe private key ofMessage μ e {0,1}^*；

Step 4.3, assume the s-th user identity id_sThe signer analyzes the private key of the signer in the time period tObtaining the signer base at node zWherein z ∈ Nodes (T → T-1), z ═ Bin (T), Bin represents binary representation corresponding to integer time T, and length of Bin (T) is d_t；

Step 4.4, constructing a verification matrix required by the user s to sign the ringWherein Q is_s+1An identity tag matrix representing the (s +1) th user,identity matrix representing user s, B_tRepresents a path matrix from the root to a node t, andrepresenting the path of node t from the root to node t at depth d_tA matrix of (d);

step 4.5, selecting a random number tau epsilon {0,1}^ω(logn)，{0,1}^ω(logn)Represents a set of strings of 0 or 1 and having a length ω (logn), and calculates a hash value u-H₂(R,μ,t,τ)；

Step 4.6, sampling function by using trapdoorGenerating a vectorWherein e satisfies the Gaussian distributionr represents a gaussian parameter chosen at random,representing a q-grid;

step 4.6, obtain signature sigma of time quantum t_t＝(e,R,t,τ)；

Step 5, according to the message mu, the signature sigma_tTime period t and ringVerifying the message signature pair (mu, sigma)_t) If the verification is passed, outputting 1, otherwise, outputting 0;

step 5.1. sign sigma_tThe value is analyzed as (e, R, t, tau);

step 5.2, according to the hash value u and the verification matrix A_RIf and only if (A)_R·e)modq＝H₂(R, μ, t, τ) andwhen the verification is passed, otherwise, the verification is failed, wherein O represents the time complexity, and | e | | represents l of the vector e₂And (4) norm.

Compared with the prior art, the invention has the beneficial effects that:

1. the invention adopts an identity-based method, the user does not need the traditional public key certificate to verify the identity, but directly uses the identity as the private key of the user, and extracts and randomizes the base by the private key extraction algorithm and the system main private key MSK through the identity information, thereby exporting the private key for the corresponding user and eliminating the additional storage overhead and the calculation overhead brought by the public key certificate in the traditional public key cryptography.

2. The invention adopts the lattice cryptography technology to design a forward safe ring signature scheme, the whole life cycle of a cryptosystem is divided into T time periods, the current time period T is finished, and when the next time period T +1 is started, a signer can realize secret key updating by extracting and randomizing the current private key. The whole process is based on the assumption that the solution of the small integers on the lattice is difficult, so that the scheme can resist the attack of a quantum computer.

Drawings

FIG. 1 is a diagram of a binary tree structure of the present invention;

FIG. 2 is a flow chart of the main steps of the present invention;

Detailed Description

In this embodiment, as shown in fig. 2, a method for forward security ring signature based on identity is to use a lattice cryptography, and first define two sets, where n, m, and q are positive integers,

the parameter on the definition set Lambda is s > 0, and the center is c epsilon to R^mThe discrete gaussian distribution of (a) is:

when c is 0, note ρ_s,0Andare respectively rho_sAnd

secondly, the invention adopts a binary tree structure to evolve the user secret key. In this binary tree, each node except the leaf nodes has two branches, the left branch being denoted by 0 and the right branch being denoted by 1. To be simpleFor the sake of simplicity, in the scheme, the life cycle of the scheme is divided into T-2^dA time period, wherein d is a positive integer. Each time period T e 0,1, T-1 is associated with a leaf bin (T), where bin (T) is the bit decomposition of T, which can be understood as the path from the root to the node. For j 1.. d +1, the "right brother at depth j" of the time period t is defined as:

a node set Nodes (T → T-1) = { sitting (1, T),. }, sitting (d +1, T) }isdefined.

Fig. 1 shows a time period T-2³The binary tree of (1). To populate the set Nodes (T → T-1), we first start with the leaf Bin (T) and add it to Nodes (T → T-1), and if its siblings exist, we also add it to the set node Nodes (T → T-1). Then recursively up, add siblings of all parents on the path (if any) to the set Nodes (T → T-1) until the root node is reached. Then, the process stops, and the corresponding list Nodes is output (T → T-1). Taking node (001) as an example, the path from node ∈ to leaf node (001) is Nodes (1 → 7) { (1), (01),) and (001) }.

In specific implementation, the forward security ring signature method comprises the following steps:

step 1, setting parameters;

step 1.1, setting a safety parameter n, and selecting a first integer with a prime number q more than or equal to 2A second integer m > 5nlogq, and a Gaussian parameterω denotes a lower bound parameter, i.e. greater than but not equal to

Step 1.2, function generation by trap doorTrapGen (q, n) generates random matricesAnd the radical B thereof_A∈Z^m×m；Indicating that values taken in the set 0,1,2.. q-1 constitute a set of matrices of dimension n x m. Z^m×mRepresenting a set of matrices with non-negative integer composition dimensions m x m. Wherein, TrapGen (q, n) algorithm refers to: given integer n is more than or equal to 1, q is more than or equal to 2, and m is more than or equal to 5nlogq, the algorithm outputs an approximately uniform random matrixAnd lattice Λ^⊥(A) A group B of_A∈Z^m×mAnd satisfy with great probabilityAnd B_ALess than or equal to O (nlogq), whereinIs B_AOrthogonalizing.

Step 1.3, construction of common parametersAnd the master private key MSK ═ B_A；H₁、H₂Representing two collision-resistant hash functions that transform an arbitrary-length input into a fixed-length output by a hash algorithm,representing a message space;

step 2, initial private key sk_id,0Extracting;

step 2.1, defining user identity id e (0, 1)^*，{0,1}^*A tag matrix Q, which represents a set of strings of arbitrary lengths composed of 0 and 1 and calculates a user id, is H₁(id) and constructing a user identity matrix A_id＝[A|Q](ii) a I represents the matrix A and Q connected;

step 2.2, using the lattice-based randomization function RandBasis (ExtBasis (B)_A,A_id) S) generating a base R of the user identity_id∈Z^(m+1)×(m+1)；Z^(m+1)×(m+1)Represents a set of non-negative integer matrices of dimensions (m +1) × (m + 1). The RandBasis (A, S, r) algorithm refers to: input matrixLattice lambda^⊥(A) A base S and Gaussian parameter ofThe algorithm outputs a lattice^⊥(A) A new radical S' ofAnd S' does not reveal any information about the base S.

Step 2.3, for any node z, determining a set node (0 → T-1), wherein z belongs to the node (0 → T-1), wherein the node (T → T-1) represents a minimum set of all ancestors in the binary tree which contain leaf Nodes { T., T-1} but do not contain { 0., T-1}, and 0 → T-1 represents a time period from 0 to T-1;

step 2.3.1, if z ∈ ≠ T, indicates an empty set without substantial node, and the corresponding private key sk of the user id at the node z is enabled to be_id[z]T is ═ T; otherwise, executing step 2.3.2;

step 2.3.2 with d_zRepresents the length of a binary vector z, where d_zD is less than or equal to d, and d represents the depth of the binary tree;

step 2.3.3, constructing a matrix of the user id at the corresponding node zWherein Bin (z) is a binary representation of z, Bin (z) d_z]Denotes the d-th_zThe number of the bits is one,representing nodesz path from root to node z at depth d_zThe matrix of (a) is determined,denotes that the number of dimensions n x (((d) obtained by taking values in the set {0,1,2.. q-1 })_z+1) m + 1);

step 2.3.4, calculating the base of the user id at the corresponding node zLet sk_id[z]＝R_id,z(ii) a Oid year symbol ← represents generation, RandBasis () represents randomization of a base, ExtBasis () represents extraction of a base,a Gaussian parameter randomly selected when representing a randomized basis; among them, ExtBasis (S)₀,A＝A₀||A₁) The algorithm is as follows: input matrixLattice lambda^⊥(A₀) A radical S of₀And a matrixThe algorithm outputs a lattice^⊥(A) One group S epsilon Z^m×mSatisfy the requirement ofWherein m is m₀+m₁。

Step 2.3.5, making the initial private key corresponding to the user identity id be sk_id,0＝{sk_id[z],z∈Nodes(0→T-1)}；

Step 3, private key sk of time period t_id,tUpdating of (1);

step 3.1, let the private key sk of the known time period t_id,t＝{sk_id[z]Z ∈ Nodes (T → T-1) }, then the key evolution procedure for the new binary vector z' ∈ Nodes (T +1 → T-1) is as follows:

step 3.1.1, if z' is belonged to T, the reaction is carried outPrivate key sk corresponding to user id at node z_id[z′]＝⊥；

If there is a prefix where z ∈ Nodes (T → T-1) is z', then:

if z' is equal to z, let sk_id[z′]＝sk_id[z]；

If z '═ z | | y, y represents a non-empty binary bit string, and | | represents that z and y are connected, then the base R of the user at the corresponding node z' is calculated_id,z'←RandBasis(ExtBasis(R_id,z,A_id,z'),s_dz') Let sk_id[z']＝R_id,z'；A_id,z'Is represented by A_id,z'Represents a matrix used when the node z' extracts the basis, anA Gaussian parameter randomly selected when representing a randomized basis;

step 3.1.2, calculating the private key sk of the time period t +1_id,t+1＝{sk_id[z′],z′∈Nodes(t+1→T-1)}；

Step 4, signature;

step 4.1, defining the maximum ring as S, the message to be signed as mu, the current ring as R and the private key sk of the time period t_id,tThe corresponding identity id belongs to R;

step 4.2, define the current ring R as the identity set of all usersWherein id_sWhich represents the identity of the s-th user,representing the number of users, the s-th user id during a time period t_sThe private key ofMessage μ e {0,1}^*；

Step 4.3, assume the s-th user identity id_sThe signer analyzes the private key of the signer in the time period tObtaining the signer base at node zWherein z ∈ Nodes (T → T-1), z ═ Bin (T), Bin represents binary representation corresponding to integer time T, and length of Bin (T) is d_t；

Step 4.4, constructing a verification matrix required by the user s to sign the ringWherein Q is_s+1An identity tag matrix representing the (s +1) th user,identity matrix representing user s, B_tRepresents a path matrix from the root to a node t, andrepresenting the path of node t from the root to node t at depth d_tA matrix of (d);

step 4.5, selecting a random number tau epsilon {0,1}^ω(logn)，{0,1}^ω(logn)Represents a set of strings of 0 or 1 and having a length ω (logn), and calculates a hash value u-H₂(R,μ,t,τ)；

Step 4.6, sampling function by using trapdoorGenerating a vectorWherein e satisfies the Gaussian distributionr represents a randomly selected Gaussian parameter, whereinSamplePre(A,B_AU, r) algorithm means: input matrixAnd lattice Λ^⊥(A) A group B of_AVector of motionAnd parametersThe output statistics of the algorithm are close to discrete Gaussian distributionIs a vector e ∈ Z^mSatisfy Ae ═ ymodq and

step 4.6, obtain signature sigma of time quantum t_t＝(e,R,t,τ)；

Step 5, according to the message mu, the signature sigma_tTime period t and ringVerifying the message signature pair (mu, sigma)_t) If the verification is passed, outputting 1, otherwise, outputting 0;

step 5.1. sign sigma_tThe value is analyzed as (e, R, t, tau);

step 5.2, according to the hash value u and the verification matrix A_RIf and only if (A)_R·e)modq＝H₂(R, μ, t, τ) andwhen the verification is passed, otherwise, the verification is failed, wherein O represents the time complexity, and | e | | represents l of the vector e₂And (4) norm.

And (3) analyzing a scheme:

correctness: first assume a ring signature σ_tThe term (e, R, t, τ) is generated strictly according to the above scheme. Assume that the signature is made within a time period tAccording to the algorithm of private key extraction and key update in the scheme, the slave private key sk_id,t＝{sk_id[z]Z belongs to Nodes (T → T-1) } to obtainWherein z belongs to Nodes (T → T-1), z is Bin (T), length is d_t. Wherein the content of the first and second substances, obtaining the product through repeated extraction base and randomization base according to the properties of the algorithms of ExtBasis and RandbisDue to the fact thatFor u ═ H₂(R, μ, t, τ), u ═ a, according to the nature of the algorithm SamplePre_Re modq holds true, will be satisfied with great probabilityThus, the identity-based forward security ring signature scheme is correct.

Safety: for the same message mu and ringDifferent signature user ids in the same time period t_bTwo signatures a generated_0,tAnd σ_1,tAre not statistically distinguishable, so the scheme satisfies anonymity. In the aboveIn the construction, because the basic key is the private key in the scheme, forward security is satisfied by calling the algorithm to randomize continuously, even if an adversaryAnd obtaining the private key of the current time period t, and obtaining the signature key before the time period t. Furthermore, find a short vector e such that A_Remodq ═ 0 can be specified to a small integer to solve the difficult problem, so this scheme satisfies the unforgeability.

In conclusion, the identity-based forward security ring signature method is based on the difficult problem related to lattices, so that the attack of a quantum computer can be expected to be resisted, and meanwhile, the binary tree structure is adopted for carrying out user secret key evolution, so that better efficiency is provided on the premise of realizing forward security of signature. In addition, because the invention introduces the cipher system based on identity, the certificate management problem appearing in the traditional forward security ring signature is solved, and the efficiency of the scheme is further improved.