CN104125199A - Attribute-based anonymous authentication method and system thereof - Google Patents

Abstract

The invention discloses an attribute-based anonymous authentication method. The method is as follows: 1) The trusted party TP generates a master key x and system public parameters according to the set security parameters; 2) User U registers and submits attributes to TP , initiate an attribute certificate issuance request; 3) TP verifies the attributes owned by user U, and issues attribute certificates to U according to U’s attributes, master key x and system public parameters; 4) User U initiates an access request to service provider SP ; 5) The SP finds the access policy corresponding to the access request and returns it to the user U; 6) The user U selects the attribute to use according to the access policy, then uses the attribute certificate and private key r to calculate an anonymous certificate, and sends it to the SP ; 7) The SP verifies the anonymous credential, and if it passes the verification and satisfies the access policy, it accepts the access request and provides corresponding services to the user. The invention ensures the user's privacy and supports a more flexible scheme for selectively presenting threshold attributes.

Description

An attribute-based anonymous authentication method and system

technical field

The invention belongs to the field of computer technology and information security, and relates to a method for protecting the privacy of user access service behaviors in a cloud computing environment and preventing privacy leakage, and is specifically embodied as an attribute-based anonymous authentication method and system.

Background technique

With the development of the Internet and mobile Internet, people's daily life is increasingly dependent on network services, and network services have begun to involve all aspects of basic necessities of life. Especially in recent years, the concept of cloud computing has brought together network services on the Internet, e-government, e-commerce, e-medicine, and various enterprise-level application management systems are widely used, and personal consumption behaviors such as online browsing, shopping, social networking, and games And more and more. Many activities in real life do not require identification, but the identity management system in network applications requires users to authenticate, and strictly restricts and monitors users' access to systems or applications. Therefore, the user's behaviors in network activities, private information such as preferences may be leaked during identity authentication, tracked and even analyzed by the service provider's audit function, and the interests of users will be harmed. More and more people have realized that , which has seriously threatened the privacy of users, how to avoid privacy leakage has become an urgent problem to be solved in the current network development.

At present, an important technology for identity authentication is the digital certificate system based on the X.509 system, but there are many risks in privacy protection with the X.509 public key certificate system and network identity authentication technology: First, users are required to Submit identity information; second, the public key certificate can be obtained publicly, which contains user information; third, the public key directory and revocation list will leak some private information of the user; fourth, the identity is completely disclosed during authentication. The traditional authentication process is actually a combination of identification and authentication, so that too much user information is provided to the service provider, resulting in the leakage of user privacy and bringing security threats to users. In actual application scenarios, the service provider needs to know whether the user is qualified to access the service, not the specific identity information of the user.

Therefore, for user privacy protection, research on anonymous credentials and its authentication technology has become a hot spot. The core idea of anonymous authentication is to separate the user's qualifications from identity identification in the authentication process, that is, only verify that the user is a certain set during the authentication process. members within without disclosing their specific identities. Traditional anonymous authentication schemes such as ring signatures, group signatures, etc. mean that users can prove to service providers that their identity credentials belong to a specific set of users (sets eligible to access services) according to the requirements of specific scenarios, but The service provider cannot identify which specific user in the specific user set the user is, so this technology realizes personal privacy protection by hiding the identity of the user. However, with the emergence and development of privacy-preserving signature technologies such as attribute-based signatures, a new idea is proposed for the design of anonymous authentication schemes. In Attribute Based Signature (ABS), the user's key contains several attribute information, and then the user can use his private key to sign the message. Similar to the ring signature, the signature generated by the ABS scheme can be verified to be generated by a user who satisfies the combination of relevant attributes, but the specific generator of the signature cannot be determined. The ABS solution is an attribute-centric anonymous credential and authentication system architecture, which abstracts user roles, relationships, and personal information into attributes. The server can formulate resource access control strategies based on user attributes; and users can also establish their own security policies. , to set whether to allow attribute extraction, in this way to achieve attribute-based user anonymous access. Since the ABS signature scheme itself has realized user anonymity and proof of attributes, it can be easily transformed into an anonymous authentication scheme. Compared with the traditional anonymous authentication scheme, the ABS scheme has higher efficiency (under certain conditions, the threshold ABS scheme can realize the signature length and verification process of constant complexity, and its calculation cost and message length are much smaller than similar anonymous authentication schemes), and can prove more complex security policies (thresholds, etc.). To sum up, researching anonymous credential schemes based on new signature schemes such as ABS is also a feasible research direction for anonymous authentication certificate systems.

At present, there are already some research projects that focus on technologies related to anonymous authentication, including the shibboleth project organized by Oasis and the Liberty project of Liberty Alliance, etc., but the core technology of these projects is to use pseudonyms in the communication process so that third parties Obtain the user's personal information, but the service provider can still obtain the user's real identity and associate user behavior, thereby destroying the user's personal privacy. , in the present invention, the service provider can only obtain the attributes required by the service, but cannot obtain other attributes, so that the activity association cannot be performed, and the real identity of the user cannot be obtained.

Contents of the invention

One of the objectives of the present invention is to overcome the problems existing in the prior art and provide an attribute-based anonymous authentication method and system. Specifically, the present invention includes the following two important aspects: firstly, an anonymous authentication algorithm based on attribute-based signature is designed; secondly, an attribute-based anonymous authentication system is designed.

1. Attribute-based anonymous authentication method

The purpose of the present invention is to provide an attribute-based anonymous authentication system to strengthen the privacy protection of users. The trusted party authenticates the user and issues the attribute certificate to the user. The user presents the attribute to the server, and the server verifies the identity of the attribute certificate. way to complete the authentication process. The attribute-based anonymous authentication method of the present invention mainly includes an attribute-based signature scheme, and the anonymous credential presentation and verification system provides anonymous credential presentation and verification functions for the system running the anonymous authentication protocol, and provides an anonymous credential presentation and verification algorithm. Realized to support threshold assertion presentation of user attributes.

The properties present the basic properties of the scheme:

●Anonymity

●Non-associative

●Presentation of attribute selection: the application cannot obtain attribute information irrelevant to the policy

The signature scheme includes three main algorithms, and the functions of each algorithm are as follows: (Here only briefly introduces the functions of each algorithm, and will detail the parameters and calculation process of the algorithm in the specific implementation method)

A. System setup algorithm: This algorithm is a probabilistic polynomial time algorithm completed by the attribute authority (that is, the trusted party). The algorithm inputs the security parameters defined by the trusted party (the security parameters are selected by the trusted party, and the security parameters for each operation are different. , the generated master key is different from the public parameters, such as selected according to time), output the master key and system public parameters, the master key is kept by the trusted party, and the system public parameters are made public, making it easy for other parties to obtain (such as published on the official website);

B. User Grant algorithm: As shown in Figure 2, this algorithm is a probabilistic polynomial time algorithm completed by the attribute authority (that is, the trusted party). The algorithm inputs a user's attribute set (the user's attribute set is the , the trusted party obtains it through offline verification), the master key and system public parameters, and the algorithm outputs the private key corresponding to the attribute to form the attribute certificate, and through the secret channel between the trusted party and the user (such as the offline mode, on-site handover, etc.) to the user securely; at the same time, the trusted party generates a public-private key pair for the user and sends it to the user through a secure channel.

C. User Prove algorithm: As shown in Figure 3, this algorithm is a probabilistic polynomial time algorithm completed by the user. The user first obtains the public parameters released by the trusted party, and the algorithm inputs the system public parameters (published by the trusted party), messages (and The message related to the service to be accessed), the user's attribute certificate, the secret random number r (the private key used to generate the anonymous certificate), and the attribute conditions required by the target service to access the user of the service (such as the user of the service Need to have k attributes among the listed n attributes, the information is obtained from the service provider), output the anonymous credential, and then send the generated anonymous credential to the service provider;

D. User Verify algorithm: As shown in Figure 4, this algorithm is a deterministic polynomial time algorithm completed by the verifier, that is, the service provider. The service provider first obtains the public parameters announced by the trusted party. When performing verification, the algorithm is called, and the input is system public parameters, message (related to the service the user wants to access), attribute conditions (for example, the user of the service needs to have k attributes among the listed n attributes) and anonymous Credentials are verified according to the UserVerify algorithm (the algorithm is described in detail in the specific implementation plan), and the judgment value "accept" or "reject" is output.

2. Attribute-based anonymous authentication system

The main participants in the system are Trust Provider (TP), User Agent (User Agent, UA) (users interact with Trusted Party and Service Provider through User Agent), and Service Provider (Service Provider, SP ) three parts, in which the trusted party TP will review user attributes and is responsible for issuing attribute certificates for users; user agent UA performs corresponding calculations on behalf of users, including user attribute mapping, attribute certificate calculation, certificate proof calculation, etc. The service provider SP will define the attributes required to access its service users, obtain the user's attribute credentials, verify the user's credentials, and other operations.

Its structure is shown in Figure 1. In the figure, there is one TP, one user U (the user communicates with TP or SP through UA), and one service provider SP. In the application process, there must be multiple users U, multiple service providers SP, of course, there may also be multiple trusted parties TP. The main components of the system are three parts: certificate issuance service, user agent plug-in, and application service. The main components of each part are as follows:

A. Credential Issuance Service

●User authentication

●Certificate issuance

B. User Agent Plugins

●Certificate request

●Voucher management

●Voucher presentation

C. Application service

●Strategy management

● Credential verification

The certificate issuance service runs on the TP end of the trusted party, where the user identity verification function uses public key encryption technology to confirm that the user has a legal public-private key pair (the public-private key pair is provided by a trusted organization such as the Public Security Bureau for the user according to the user's identity. Generate) to verify the legitimacy of the user; the certificate issuance function is to submit attributes to the trusted party when the user submits an attribute certificate request, and the trusted party will conduct administrative review and verification of the attributes applied by the user. After the verification is passed, Issue the corresponding attribute certificate for the user, which is the processing of the authenticated attribute of the user and can be used for encryption operations.

The user agent plug-in runs on the user side and completes some complex calculations and matching on behalf of the user. It first assigns an attribute identifier to the attribute submitted by the user for authentication (the assignment method is first specified by the TP, and makes it easy for other parties to obtain it. The purpose is to convert the attribute into an integer that can be encrypted, such as "age=1" is mapped to "1"), instead of the user submitting an application request for an attribute certificate to the trusted party, the value corresponding to the attribute to be applied by the user is sent to the TP. The credential management function is to maintain a list of all attribute certificates that the user has applied for, and perform operations such as searching, adding, deleting, and replacing attribute certificates. The credential presentation function is to select the corresponding attribute credential after obtaining the attributes required by the service provider SP, and to present the credential as an anonymous credential to the service provider after performing selective hidden attribute calculation on the credential content according to the requirements of the SP. After the challenge (random number challenge) issued by the service provider, the response value is calculated according to the difference of the challenge value, which proves to the SP that the user has hidden attributes.

The application service is mainly the SP side, and the policy management function is mainly to maintain the attribute policy required for accessing the service; the credential verification is the attribute credential sent from the client, according to the access policy of the corresponding service (the service is different, the access policy is different, all are saved) At the SP side), and TP public parameters are verified (the specific verification algorithm is detailed in the implementation plan), and it is judged whether the requirements of the access policy are met. If verified, the user is authenticated by the service.

Compared with the prior art, the advantages of the present invention are mainly reflected in:

1) Using an attribute signature-based anonymous credential algorithm, compared with the existing general anonymous credential system, users can selectively hide attributes to support a more flexible threshold attribute selective presentation scheme.

2) The length of the attribute signature in the present invention is constant, so the length of the message transmitted by the anonymous authentication protocol is constant, which improves the communication efficiency of the protocol.

3) While ensuring privacy, the use of attribute-based signature technology ensures the unforgeability and non-lending properties of credentials, which provides a guarantee for the realization of user-centered authentication and access control processes with high privacy and high security.

4) The implementation of specific algorithms in the attribute-based anonymous credential scheme is relatively independent from the framework, and can be conveniently expanded under a unified framework to support more types of algorithms.

5) Non-connectability, which means that it is computationally difficult for a service or multiple services to associate a user's activities together, that is to say, a user will remain anonymous no matter how many times he visits a service.

6) Least privilege, it is difficult for a service or multiple services to calculate user attributes other than those required by the service. That is to say, during each user authentication process, the service can only obtain the attributes required by the session and authorized by the user, but not other attribute information of the user.

Description of drawings

Figure 1 Anonymous credential architecture diagram;

Figure 2 Anonymous Authentication System Credential Issuance Protocol;

Figure 3 Anonymous authentication system credential presentation protocol;

Figure 4 Anonymous authentication system modules and interfaces.

Detailed ways

The present invention will be described in more detail below by specific examples. Among them, embodiment 1 provides the anonymous credential algorithm based on attribute signature involved in the system, and embodiment 2 provides the specific operation mode of the anonymous credential system.

Example 1. Attribute-based anonymous authentication algorithm

A specific example of the attribute-based signature algorithm of the present invention is given below:

set up and is a cyclic group of prime number order with order p (t is used to denote ,illustrate and are two different groups, that is, the present invention needs to set two groups, and use subscript t to distinguish two different prime order cyclic groups), and g is generator of . for arrive bilinear map on .

A. System setup algorithm

The algorithm is executed by a trusted party. First, define the maximum number of attributes n that can be included in the credential, and then assign an attribute value ω _i to each possible user attribute i (according to a predefined distribution method), and select n in addition -1 redundant attribute d _j forms a redundant attribute set D, (the distribution of redundant attributes needs to ensure that it will not be repeated with user attributes, if there are less than n user attributes in the credential to be constructed, the trusted party will choose redundant attributes to supplement to n), these redundant attributes will not be issued to any user. Then choose randomly Generators g, h, randomly selected As the private key, the master key, compute As a part of the public parameters of the system, the scheme TP finally generates the public parameters as $\{g,g^x,g^{x^2},g^{x^3},...,g^{x^{2\mathrm{no}-1}},h,h^x,h^{x^2},h^{x^3},...,h^{x^{\mathrm{no}-1}},\mathrm{\Ω}=\{{\mathrm{\ω}}_i\},\mathrm{D.}=\{d_j\}\},$ TP's master key is x. (Public parameters include user attribute set Ω and redundant attribute set D, and redundant attribute set D needs to be published)

B. User Grant Algorithm

When user U applies for an attribute certificate with attribute set Ω _U ∈ Ω (where Ω is the set of all attributes, Ω _U is the set of user attributes), TP performs the following operations:

check first

If not, the execution is refused, that is to say, when the attributes submitted by the user include redundant attributes, the execution is refused.

If the intersection is empty, TP randomly selects a generator , and then for the attribute value ω _Ui of the i-th attribute in Ω _U (calculated for each attribute), calculate the intermediate value The calculation output attribute credential cre={g _U , {U _i }(ω _Ui ∈Ω _U )}.

C. User Prove Algorithm

When a user wants to access a service, it needs to prove that the attributes it owns meet the policy defined by the SP corresponding to the service. The policy here is a threshold policy, that is, an application service user attribute must satisfy: the same as in attribute set A At least t attributes among the k attributes are consistent, that is, Γ=(t, A) (1≤t≤k=|A|≤n, |A|∩Ω _U |≥t), the user agent UA starts from its attribute set Select a subset of attributes that can satisfy the SP strategy Then select the first n+tk-1 elements in the set D={d _i }, and record the set of these elements as D _n+tk-1 . Users can use the U _i in their credential to calculate (each attribute has a U _i value in cre, corresponding to the credential value of each attribute):

${\mathrm{<span\; class="notranslate">\; A</span>}}_{\mathrm{<span\; class="notranslate">\; 1</span>}}<span\; class="notranslate">\; =</span>{{\mathrm{<span\; class="notranslate">\; g</span>}}_{\mathrm{<span\; class="notranslate">\; u</span>}}}^{\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; /</span>{\mathrm{<span\; class="notranslate">\; \&Pi;</span>}}_{{\mathrm{<span\; class="notranslate">\; \&omega;</span>}}_{\mathrm{<span\; class="notranslate">\; Ui</span>}}<span\; class="notranslate">\; \&Element;</span>{\mathrm{<span\; class="notranslate">\; \&Omega;</span>}}_{\mathrm{<span\; class="notranslate">\; u</span>}}^{<span\; class="notranslate">\; \&prime;</span>}}<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; x</span>}<span\; class="notranslate">\; +</span>{\mathrm{<span\; class="notranslate">\; \&omega;</span>}}_{\mathrm{<span\; class="notranslate">\; Ui</span>}}<span\; class="notranslate">\; )</span>}$

Next, since |D _n+tk-1 ∩(A-Ω′ _U )|=(n+tk-1)+(kt)=n-1, the user can use $g,g^x,...,g^{x^{\mathrm{no}-1}},h,h^x,...,h^{x^{\mathrm{no}-1}}$ calculate $A_2=g^{{\mathrm{\&Pi;}}_{\mathrm{\&omega;}\&Element;{\mathrm{D.}}_{\mathrm{no}+t-k-1}\&cap;(A-{\mathrm{\&Omega;}}_u^{\&prime;})}(x+\mathrm{\&omega;})},A_3=h^{{\mathrm{\&Pi;}}_{\mathrm{\&omega;}\&Element;{\mathrm{D.}}_{\mathrm{no}+t-k-1}\&cap;(A-{\mathrm{\&Omega;}}_u^{\&prime;})}(x+\mathrm{\&omega;})}$ (where A1, A2, A3 are calculated intermediate values). Finally, the UA randomly chooses the secret value , used to calculate Send the anonymous credentials (π ₁ , π ₂ , π ₃ , π ₄ ) to the SP.

D. User Verify Algorithm

After the verifier SP obtains (π ₁ , π ₂ , π ₃ , π ₄ ), it first confirms whether g _U = π ₄ is established, (g _U is the first element in the user’s anonymous credential, and π ₄ is the The last element in the anonymous evidence sent by the UA to the SP), if it is true, it means that the user of the anonymous certificate belongs to the set of users who have issued the certificate, then use calculate and verify: And whether e(h, π ₂ )=e(g, π ₃ ) is established, if it is established, it means that the attributes owned by the user satisfy the threshold policy Γ.

Example 2. Attribute-based anonymous authentication system

This embodiment aims to provide a specific example of the attribute-based anonymous authentication system of the present invention.

The system consists of three main bodies: Trust Provider (TP), User Agent (User Agent, UA), and Service Provider (Service Provider, SP). The three parts are connected through the network, and the trusted party is responsible for authenticating users and issuing attribute certificates for users. The main work of the user side is completed by the user agent, mainly receiving, storing, querying attribute credentials, and generating verification assertions to assist in the verification of the application service provider. Before requesting services, users need to apply for attribute certificates from trusted parties. When requesting services, they only need to show the attributes that the application service provider needs to be authenticated. For example, online game companies only need users to prove that they are older than the legal age and that their country belongs to a specified country. wait. The service provider verifies the attributes presented by the user, and grants the corresponding access rights if the verification passes.

The specific implementation process is divided into four sections: system initialization, certificate issuance protocol, certificate presentation protocol and certificate verification protocol. The system initialization process generates necessary public parameters for the operation of the protocol. The credential issuance process is mainly completed through negotiation between the trusted party TP and the user. The certificate presenting agreement is completed jointly by the user and the service provider SP.

This embodiment is based on the following scenario setting: after the user U obtains the attribute certificate issued by the trusted party TP, he accesses the resources of the application provider SP, and the SP specifies an access policy Γ, and if U satisfies the access policy, the user is allowed to access. The specific process as follows:

1) TP runs the setup algorithm in Example 1, saves the generated master key, and publishes the system public parameters in a way that other parties can easily obtain

2) User U initiates an attribute certificate issuance request to TP through user agent UA, that is, registers and submits attributes;

3) TP and U execute the authentication protocol, verify the attributes owned by the user, and issue the attribute certificate cre to U according to U's attributes, master key x and system public parameters;

4) The user U initiates an access request to the service provider SP through the user agent UA, including the identifier of the service to be accessed;

5) The application service provider SP searches for the access policy required by the resource accessed by the user (the policy is pre-customized, and different services require different policies, here the SP only needs to find the corresponding policy), and returns it to User U's proxy UA;

6) The user agent prompts the user U to select the attribute to be used, and the user uses his own attribute certificate and a private key r used to generate the anonymous certificate to calculate the anonymous certificate according to the attribute (the attribute certificate issued by the TP is processed so that the SP can Decrypt the attributes required by the target service, but cannot get the specific values of other attributes in the attribute certificate, but you can know that it has been authenticated by the TP, and the specific algorithm is in the C algorithm in Example 1), and send it to the SP through the user agent;

7) The application service provider SP verifies the user's anonymous certificate, and if the verification passes and satisfies the access policy, the resource is returned to the user (the specific algorithm is in the D algorithm in Example 1).

Claims (10)

1. An attribute-based anonymous authentication method, the steps of which are: 1) The trusted party TP generates a master key x and system public parameters according to the set security parameters; where the master key x is the private key of the trusted party TP; 2) User U registers and submits attributes to TP, and initiates an attribute certificate issuance request; 3) TP verifies the attributes owned by user U, and generates and issues attribute certificate cre to U according to U's attributes, master key x and system public parameters; 4) The user U initiates an access request to the service provider SP; 5) The service provider SP searches for the access policy corresponding to the access request, and returns it to the user U; 6) User U selects the attribute to be used according to the access policy, and then uses the attribute credential cre and a private key r for generating an anonymous credential to calculate an anonymous credential and send it to the SP; 7) The service provider SP verifies the anonymous credential, and if it passes the verification and satisfies the access policy, it accepts the access request and provides corresponding services to the user. 2. The method according to claim 1, characterized in that the method for generating the attribute credential cr is: the trusted party uses the probabilistic polynomial time algorithm, uses the attribute set input by the user, the master key x and the system public parameters to generate The property credential. 3. The method according to claim 1, wherein the method for generating the anonymous credential is as follows: the user obtains the system public parameters released by the trusted party, and then uses the probabilistic polynomial time algorithm according to the system public parameters, messages, and user attributes Credentials, a private key r used to generate the anonymous credential, and select the attributes to use to generate said anonymous credential. 4. The method according to claim 1, wherein the method for the service provider SP to verify the anonymous credential is: the service provider utilizes a deterministic polynomial time algorithm, according to system public parameters, messages, predicates and signature verification of messages The anonymous credentials. 5. The method according to claim 1, wherein the trusted party uses a probabilistic polynomial time algorithm to generate the master key x and system public parameters according to the security parameters set by the trusted party. 6. The method according to any one of claims 1 to 5, characterized in that the generation method of the master key x and the system public parameters is: 61) The trusted party sets two prime-order cyclic groups with order p and , g is generator of for arrive Bilinear map on ; 62) Set the maximum number of attributes that can be included in an attribute credential as n, then assign an attribute value ω _i to each user attribute i that may be used, and select n-1 redundant attributes d _j to form a redundant Attribute set D; wherein each redundant attribute d _j is not repeated with user attributes; 63) Random selection Generators g, h in the middle, randomly selected As the private key of the TP, that is, the master key, the public parameters are generated using the probabilistic polynomial time algorithm $g,g^x,g^{x^2},g^{x^3},...,g^{x^{2\mathrm{no}-1}},h,h^x,h^{x^2},h^{x^3},...,h^{x^{\mathrm{no}-1}},\mathrm{\&Omega;}=\left\{{\mathrm{\&omega;}}_i\right\},\mathrm{D.}=\left\{d_j\right\}.$ 7. The method according to claim 6, wherein the generating method of the attribute certificate is: when the user U applies for the attribute certificate with the attribute set Ω _U ∈ Ω, wherein Ω is the set of all attributes, and Ω _U is User U's attribute set; the trusted party first checks whether the attributes submitted by user U contain redundant attributes, and if it does, refuses to generate attribute certificates; otherwise, the trusted party randomly selects a generator , and then for the attribute value ω _Ui of the i-th attribute in Ω _U , calculate the intermediate value Thus, the output attribute credential cre={g _U , {U _i }(ω _Ui ∈Ω _U )} is calculated. 8. The method according to claim 7, wherein the method for generating the anonymous credential is: 81) When the user wants to access a service of the service provider, the user selects an attribute subset from the user attribute set through the user agent UA that can satisfy the service policy corresponding to the service Wherein the service policy is: the user attribute set is consistent with at least t attributes among the k attributes in the corresponding attribute set A of the service; 82) The user selects the first n+tk-1 elements in the set D={d _i }, and the set of these elements is recorded as D _n+tk-1 ; 83) The user calculates using the attribute value U _i in its attribute credential cre $A_2=g^{{\mathrm{\&Pi;}}_{\mathrm{\&omega;}\&Element;{\mathrm{D.}}_{\mathrm{no}+t-k-1}\&cap;{(A-{\mathrm{\&Omega;}}_u^{\&prime;})}^{(x+\mathrm{\&omega;})}}},A_3=h^{{\mathrm{\&Pi;}}_{\mathrm{\&omega;}\&Element;{\mathrm{D.}}_{\mathrm{no}+t-k-1}\&cap;{(A-{\mathrm{\&Omega;}}_u^{\&prime;})}^{(x+\mathrm{\&omega;})}}};$ 84) Random selection , as the private key r used to generate the anonymous credential, compute The anonymous credentials (π ₁ , π ₂ , π ₃ , π ₄ ) are obtained. 9. The method according to claim 1, wherein the client assigns each attribute submitted by the user an attribute identifier set by a trusted party, and adopts the corresponding identifier and attribute value for the attribute and attribute value to be applied by the user sent to a trusted party. 10. An attribute-based anonymous authentication system, characterized in that it includes a trusted party TP, a user agent UA and a service provider SP connected to each other through a network; wherein, The trusted party is responsible for authenticating the user, and generates a master key x and system public parameters according to the set security parameters; among them, the master key x is the private key of the trusted party TP; verifies the attributes owned by the user U, and according to U's attribute, master key x and system public parameters generate and issue attribute credential cre for it; The user agent is used for the user U to register attributes with the trusted party, as well as apply, receive, store, and query attribute certificates, initiate access requests to the service provider SP, and generate anonymous certificates to present to the service provider; The service provider verifies the anonymous credentials presented by the user agent, and if the verification passes and the corresponding access policy is met, the corresponding access rights are granted.